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CRYPTANALYSIS OF A MACLAREN-MARSAGLIA SYSTEM 
CHARLES T. RETTER 


ABSTRACT: A successful attack on a computer file encryption system 
is described, The system was based on the MacLaren-Marsaglia algo— 
rithm ([1], [2] p. 30) for generating a sequence of pseudo-random 
numbers from two other sequences. 


INTRODUCTION 


The research and development groups at Data General do much of their work on a 
large network of interconnected minicomputers. In this environment (see [3]), 
it is not practical to rely on the operating system to protect files from 
unauthorized access, simply because most people have physical access to the 
unattended machines. For this reason, various file encryption systems have 
been developed. The early versions were trivial, but by 1980 a program was in 
use which its author claimed to be "virtually unbreakable short of exhaustive 
search." Since the key size was 31 bits, exhaustive search might have been 
possible, but on the available minicomputers it would have taken days of CPU 
time even with known plaintext. The system proved to be far less secure, and 
can usually be broken in minutes using just a guess about the plaintext. 


THE ENCRYPTION ALGORITHM 


A simple disassembly of the program revealed the algorithm (and in fact pro- 
duced a better understanding of what it really was doing than reading the 
source would have, since there were several mistakes in the source). The 
following is a somewhat simplified description of the algorithm. First two 
linear congruential generators are defined: 


FUNCTION RANDOM ; 


BEGIN 
SEED1 := (46876 * SEED1 + 32749) MOD 59049; 
RETURN(SEED1) ; 

END ; 
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FUNCTION RANDOM 2; 
BEGIN 
SEED2 := ( 4353 * SEED2 + 32633) MOD 32768; 
RETURN (SEED2); 
END ; 


Now a third function is defined, using a table of 257 elements. 


FUNCTION RANDOMS ; 

BEGIN 
I := RANDOM1 MOD 257 
SEED3 := TABLE[T] 
TABLE [I] := RANDOM2 
RETURN (SEED3) ; 
END; 


This algorithm is a version of the MacLaren—Marsaglia algorithm, which Knuth 
[2] contends "will satisfy virtually anyone's requirements for randomness". 
The algorithm is used by first initializing SEED1 and SEED2 with values that 
serve as the key. Next, the function RANDOM3 is called some number of times, 
which happens to depend on the file length. Then each 16-bit word in the file 
is exclusive-ORed with a word produced by RANDOM3. Obviously, the same proce— 
dure can be used either to encipher or to decipher a file. 


The periods of the sequences produced by RANDOM1 and RANDOM2 are easily deter- 
mined. Both functions satisfy the conditions to generate maximal length 
sequences ([2] p. 15), so the period of RANDOM is 59049 and the period of 
RANDOM2 is 32768. Since these two numbers are relatively prime, the period of 
RANDOM3 will be 1934917632. 


BREAKING THE ALGORITHM 


The method of attack used was the known-plaintext attack, Since it turns out 
that about ten known characters are usually sufficient, it is possible to use 
a guess as the known plaintext. Assuming that the plaintext is correct, a 
sequence of words from RANDOM3 becomes available. If we can determine the 
values from RANDOM1 and RANDOM2 which produced these words, we will be able to 
reconstruct the state of the table, and calculate the initial values of the 
seeds. 


Notice that all of the numbers produced by the function RANDOM3 actually were 
generated by RANDOM2. The only effect of RANDOM1 is to insert a varying delay 
between the time that RANDOM2 generates a number and the time that RANDOM3 
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uses it to transform the file. Using the method described in the appendix, we 
can quickly calculate the time that a given number was generated, relative to 
some arbitrary starting point. Of course, we don’t know the actual starting 
point (that was part of the key), but the differences between these times of 
generation will be independent of the starting point. In fact, the sequence 
of differences between generation times (from RANDOM2) of the numbers produced 
by RANDOM3 depends only on the state of RANDOM1, not on RANDOM2. 


Since the period of RANDOM1 is 59049, the period of this sequence of differ- 
ences will also be 59049, and the sequence can quickly be generated and placed 
in a table. The table will be accessed by specifying a short subsequence. A 
subsequence of four differences will uniquely identify a point in the overall 
Sequence in 97% of all cases. A subsequence of 11 differences is required for 
uniqueness in all cases. When the table is generated, the values of RANDOM1 
and the delays through the table can also be generated and stored, 


The general procedure for breaking the algorithm can now be described. Let 
the values produced by the generators at time i be denoted RANDOM1[i], 
RANDOM2[i], and RANDOM3[i]. Then proceed as follows: 


(1) Take the string assumed to be plaintext and XOR it with the ciphertext at 
some position in the file. If this is the correct position, the results 
will be RANDOM3[i], RANDOM3[i], ... 


(2) Since each of the RANDOM3 values was generated by RANDOM2 at some time, 
there exist values of j and A[i] such that 


RANDOM3 [i] RANDOM2 [ j ] 


RANDOM3 [ i+1] 


RANDOM2 [ j+A[i]] 


where A[i] is a function of RANDOMI1[i]. 


(3) Using the procedure in Appendix B, calculate the values j» jrAlil, 
jt+tALi]+A[i+1], jtALi]+ALit1]+A[it+2], and j+Ali]+ALit1] +Ali+2]+A[i+3]. 
Then the consecutive differences between these values produce Al[il, 
A[it+1], Alit+2], and A[it+3]. If the magnitude of any of these differences 
is greater than 2787, go back to step (1) and try another position for 
the guess, since 2787 is the largest possible A. 


(4) Search the A sequence (which may be generated once using RANDOM1 and the 
TABLE and placed in a hash table) for the four consecutive values just 
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found. If the values are not found, go back to step (1) and try another 
position for the guess. If the values are found, and are unique, the 
value of RANDOM1[i] is known. Occasionally, the four values will not be 
unique. In that case, either additional values must be used or each of 
the possible matches must be tried, and the resulting plaintext checked. 


(5) Since RANDOM1 also determines how long each element of RANDOM2 spends in 
the TABLE, RANDOM1[i] can be used to find i-j, i.e. the length of time 
that RANDOM2[j] spent in the TABLE, Since i is known, from the position 
in the file and the initialization delay, j can now be calculated. 


(6) Use i and RANDOM1[i] to calculate the initial value of SEED1. 
(7) Use j and RANDOM2[j] to calculate the initial value of SEED2. 


Because the calculation of the differences is very fast, and the differences 
eliminate almost all incorrect guesses, it isn’t necessary to improve the 
procedure. Most files are broken in a minute or two assuming that the guess 
is found within the first thousand character positions. See Appendix C for an 
example of this procedure. 


DOUBLE-ENCRYPT ION 


When the author of the encryption program was informed that it had been 
broken, he made several attempts to improve it. In general, these attempts 
did not make the cipher much more difficult to break. It should be clear from 
the above procedure that even a significant increase in the key size would not 
make the system secure. Its primary weakness is that the effects of the two 
generators RANDOM1 and RANDOM2 can be separated and attacked individually. 
Furthermore, most guesses can be eliminated by using only the inverse of 
RANDOM2, which can be computed efficiently as shown in the appendix. 


The most successful countermeasure seemed to be double-encryption. Double- 
encryption strengthens many systems, (see [4], for example), and in this case 
results in an effective key size of 62 bits, ruling out a brute-force attack. 
Also, double-encryption seems to remove the weakness that was used in the 
above attack, since with double-encryption the sequence of numbers obtained by 
exclusive-ORing the known plaintext with the ciphertext no longer consists of 
numbers from the RANDOM2 sequence. Instead, each value is the XOR of two 
numbers from differently delayed RANDOM2 sequences. 


Notice, however, that the modulus of RANDOM2 is a power of 2, This implies 
that the least significant bits of the numbers in the RANDOM2 sequence must 


100 


APRIL 1984 CRYPTOLOGIA 


either be constant or alternating Os and 1s ([2] p. 12). In fact, they are 
alternating Os and 1s. Therefore, the XOR of any two numbers from the RANDOM2 
sequence will be even if the difference in their times of generation was even, 
and odd if the difference in their times of generation was odd. Since the 
delay through the table is a function only of RANDOM1, the least-significant 
bits of successive XORs of the values produced by RANDOM3 form a pattern which 
identifies the state of RANDOM1, a cryptographic weakness, as shown below. 


The period of this sequence of bits is 59049, so the sequence can easily be 
generated and stored in a table. However, considerably more known-plaintext 
will be required to ensure that the XOR of two subsequences of this sequence 
is unique. Using subsequences of 38 bits results in a probability of unique- 
ness greater than 99%. If enough plaintext is available, the use of 64-bit 
subsequences will guarantee uniqueness, but duplicate matches are not a 
serious problem since they can be detected and the correct choice made based 
on the values of the RANDOM2 sequence. 


The procedure for breaking a double-encrypted message is as follows: 


(1) Take 78 characters of known plaintext, and XOR them with the ciphertext 
to produce a sequence of 39 numbers, which should be equal to the XORs of 
two RANDOM3 sequences. Let the least significant bits of the known 
sequence be called R[i], R[i+1], etc., and let the least significant bits 
of the two unknown RANDOM3 sequences be called 


R3[i], R3[i+1],... and r3[i], r3[itl],... 
(2) Then we know that 
Rli] = R3[i] © r3[i] = R2[j] © r2[k] 


R[it1] = R3[it1] © r3[it1] = R2[j+ALli]] © r2[k+8[i]] 


So, if we XOR successive values of the R sequence, we get 


Ri] © R[it+1] = R2[j] © R2[j+ALi]] © r2[k] © r2[k+8[i]] 


Since R2[x] ® R2[xt+y] = y mod 2 for any x and y, we have 
R[i] © R{it+1] = ALi] mod 2 © 5[i] mod 2 
R[it1] © R[i+2] = A[it+1] mod 2 © 8[i+1] mod 2 
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(3) Using a table of sequences of (A mod 2) which are produced by the RANDOM1 
generator, pick one 38-bit sequence and XOR it with the 38-bit sequence 
found in the previous step. If the resulting sequence is also in the 
table, proceed to the next step. Otherwise, try the next 38-bit sequence 
until a match is found. There are a total of 59049 entries in the table, 
since that is the period of RANDOM1. Naturally, the table should be 
organized to make this step fast. 


(4) When the two sequences have been found in the table, the values of 
RANDOM1[i], randomi[i], and (i-j) and (i-k) can also be found, since they 
depend only on the RANDOM1 generator. These values should also have been 
placed in the table when it was generated. 


(5) Assume a value for RANDOM2[j]. Using this value, and the values of A[il, 
ALit1], etc., calculate the succeeding values RANDOM2[j+ALil], 
RANDOM2[j+ALi]+A[it+1]], etc. Then use these values and the original 
values obtained from the plaintext-ciphertext to calculate random2(kl, 
random2[(k+8[i]], random2[k+8[i]+&5[i+1]], etc. Compare these values 
against the known sequence 5[i], 5[it1], etc. If they match, the values 
of RANDOM2[j] and random2[k] have been found. If not, try another guess 
for RANDOM2[j]. There are 32768 possible values for RANDOM2[j], so this 
step should be done as efficiently as possible. Almost all of the incor— 
rect values of RANDOM2[j] can be eliminated by calculating only a single 
value of 5. Note that the & sequence can also be used to distinguish 
between duplicate matches in step (3). 


(6) Using RANDOM1[i] and i calculate the initial value of SEED1. 
(7) Using randomi[i] and i calculate the initial value of seedl. 
(8) Using RANDOM2[j] and j calculate the initial value of SEED2. 
(9) Using random2[k] and k calculate the initial value of seed2. 
In summary, double-encryption makes the system more difficult to attack, since 
more known-plaintext is required, larger tables are used, and each step takes 
about 50,000 times as long. However, the system is still fairly easy to 


break, even though the key size is now greater than the 56-bit key used for 
DES. 
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CONCLUSION 


After a number of attempts to improve the algorithm, the author of the file 
encryption program finally gave up and replaced the whole program with a 
Similar one based on DES. Although a software implementation has obvious 
problems, the DES program is not likely to be broken as easily as this 
MacLaren-Marsaglia program was. 


The primary weakness of the MacLaren—Marsaglia algorithm as a cipher system is 
that the effects of the two constituent generators can be separated, This has 
the effect of halving the key size. The attack described in this paper used 
certain features which actually improve the statistics of the pseudo-random 
numbers, For example, the fact that RANDOM1 has a potency of 10 improves its 
randomness, but it also reduces the number of differences required to uniquely 
identify its state. Similarly, RANDOM2 has a very high potency, but its 
least-significant bits are not at all random. However, changing the genera- 
tors to remove these weaknesses would probably result in the introduction of 
new weaknesses which could be exploited in similar ways. 


It may be worth noting that a recent article [5] describes a commercial 
cryptographic device as using the MacLaren-Marsaglia algorithm, The experi- 
ence described above leads me to question the security of such a device. 
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Appendix A 
Efficient Computation of Values in a Linear Congruential Sequence 


Although it is possible to generate a given value in a linear congruential 
sequence simply by generating each successive value until the desired one is 
obtained, this method requires a significant amount of time. Another possibi- 
lity is to generate all of the values once, place them in a table, and extract 
the desired one when it is needed. This method requires less time, but may 
take a large amount of space in the computer’s memory. Fortunately, by taking 
advantage of the linearity of the sequence, values may be obtained using small 
tables and a small amount of computation. 


Let the sequence be defined by the following recursion, with Xp) = 


Xt = (aX, + b ) modm. 


n-l 
Then ik, = J alp mod m, 
i=0 
nt+j-1 
and Xntj ~ Xn = > al b mod n, 
i=n 
sO Xntj = ty. + a”X; mod m. 
Now, assume that we have tables of X, and a" for nt+1,2,4,8,16,.... Then, 
given any value of X:, we can calculate the value of Xi or X. or X44 


etc., with only one egteielingsdon and one addition (mba m). by copteline 
this procedure, we can calculate the value of any X in the sequence with at 
most 16 multiplications, 16 additions, and possibly 16 divisions, since all of 
the numbers being used here are limited to 16 bits. The memory space required 
for the tables is negligible, since there are only 16 numbers in each table. 


The following procedure can be used to find any value in the RANDOM2 sequence, 
given any other value in the sequence, and the difference between their times 


of generation. Note that no divisions are required because the modulus is a 
power of 2. 
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FUNCTION R2VALUE(STARTVALUE, OFFSET) ; 
BEGIN 
FOR I:=0 TO 14 DO 
IF (OFFSET AND 2tI) 
THEN STARTVALUE := A[I] * STARTVALUE + X[I]; 
RETURN (STARTVALUE AND 32767); 
END ; 


APPENDIX B 
Efficient Computation of the Inverse of the RANDOM2 Sequence 


The inverse of the previous function, namely, finding the difference between 
the times of generation of two known values from the RANDOM2 sequence, can be 
computed with a similar amount of effort. However, the method relies on 
certain other properties of the RANDOM2 sequence, namely, that the modulus is 
a power of 2, and a(mod 4) = 1. Generators with these values produce sequen- 
ces with good randomness properties (see [2]), but the tables of A[I] and X[I] 
used in the previous section have a very convenient characteristic. Using the 
same notation, 

a2 '- 1 


a-1 


X{I] = 24 = 


| 
4 
o 
$9 
Cure 
it 


Using the fact that a(mod 4) = 1, and expanding, it can be shown that 


X[I] = b ( 2k +1) 2? for some integer k. 


Since b is odd, this implies that X[I] is divisible by 21, but not by 227, 
which means that the least significant bit which is a 1 in X[I] is the I-th 
bit. 


Let i = 2! and j=2), where I < J. 


Then, Xi+j = X{I] + ALI] X{J] mod m. 
Since m is a power of 2, the least significant 1 in the value Xia is the same 
as the least significant bit in X[I]. Therefore, given any two values from 
the RANDOM2 sequence, we can calculate the difference between their times of 
generation with the following procedure: 
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FUNCTION R2INVERSE(START, END) ; 
BEGIN 
OFFSET: =0; 
FOR I:=0 TO 14 DO 
IF ( (START XOR END) AND 2?tI ) 
THEN BEGIN 
OFFSET := OFFSET + 2tI; 
START := A[I] * START + X[I]; 
END ; 
RETURN (OFFSET) ; 
END ; 
An assembly—-language version of this routine takes about 100 microseconds on 
an Eclipse S/280. Since it is impossible for two consecutive values in the 
RANDOM3 sequence to be more than 2787 apart in the RANDOM2 sequence, most 
incorrect guesses can be eliminated in a fraction of a millisecond using this 
routine. 


APPENDIX C 

An Example 
We are given a file of ciphertext beginning with the following values: 29400, 
11661, 7238, 25666, 16219. From other information, we suspect that the first 
word in the file may be PROCEDURE. Then we perform the following steps to 
find the values of the keys: 


(1) Assuming that the plaintext is correct, we can obtain five values from 
the RANDOM3 sequence by XORing the plaintext and the ciphertext. 


PR —> 20562 XOR 29400 = 8842 
OC —> 20291 XOR 11661 = 25294 
ED -> 17732 XOR 7238 = 22786 
UR —> 21842 XOR 25666 = 12560 


E -> 17696 XOR 16219 = 31355 


(2) Since all of the values in the RANDOM3 sequence came from the RANDOM2 
sequence, we know the following values of the RANDOM2 sequence: 


RANDOM2[j] = 8842 

RANDOM2[j+ALi]] = 25294 
RANDOM2[j+A[i]+A[it+1]] = 22786 

RANDOM2 [ j+ALi]+ALi+1]+AL[it+2]] = 12560 
RANDOM2 [ j+A[i]+ALit+1]+A[i+2]+A[it+3]] = 31355 
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(3) 


(4) 


(5) 


In order to calculate the times when these values were generated by 
RANDOM2, we must use some arbitrary starting point. Using 0 as a start- 
ing value, and assuming that the initial value of SEED2 occurs T2 cycles 
after 0 in the RANDOM2 sequence, we can calculate the following values by 
using the function R2INVERSE defined in Appendix B. 


j = 27994-T] 

j + Ali] = 27838 - T2 

j + ALi] + ALit1] = 28050 - T2 

j + ALi] + ALit1] + A[it+2] = 28048 - T2 

j + ALi] + ALit1] + A[it+2] + A[i+3] = 28051 - T2 


Subtracting, we obtain four values from the A sequence: 


Ali] = -156 
A[it1] = 212 
A[it2] = -2 
A{it3] = 3 


Since none of these values has a magnitude greater than 2787, the guess 
cannot be eliminated immediately, so we proceed to the next step. 


In this step we search a table of the A sequence for the four consecutive 
values above. This can be done efficiently using a hash table of the 
subsequences, but for this example the following table shows a part of 
the RANDOM1 sequence and the corresponding values of A and the delay 
through TABLE (Tl is the number of cycles from 0 to the initial value of 
SEED1 in the RANDOM1 sequence). 


t RANDOM1 [t ] mod 257 A(t] table delay (i-j) 
15176 — Tl 43622 189 17 71 
15177 = Tl 49800 199 -156 55 
15178 - Tl 143 83 248 212 212 
15179 — Tl 28775 248 ~—Z 1 
15180 - Tl 33342 189 3 4 
15181 —- Tl 4360 248 —83 2 


Notice the A sequence matches, starting with the line at t = 15177 - TI. 


From the length of the file, we know that the number of cycles of ini- 
tialization was 5001. Since the ciphertext that we are using is at the 
beginning of the file, there is no additional offset. Therefore, the 
value of iis 5001. From the previous step, we know that the number 
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(6) 


(7) 


produced by RANDOM3 at that time spent 55 cycles in the TABLE. So, (i-j) 
= 55, and j = 5001 - 55 = 4946. 


We know that i = 5001 and RANDOMI[i] = 49800. To find the key, 
RANDOM1[0], we must go back 5001 cycles, or forward 59049 -— 5001 = 54048 
cycles, in the RANDOM1 sequence. Using the function explained in Appen- 
dix A, R1VALUE(49800,54048) produces the value of RANDOM1[0] = 123, which 
is the first key. 


We know that j = 4946 and RANDOM2[j] = 8842. To find the key, 
RANDOM2[0], we must go back 4946 cycles, or forward 32768 — 4946 = 27822 
cycles, in the RANDOM2 sequence. Using the function explained in Appen- 
dix A, R2VALUE(8842,27822) produces the value of RANDOM2[0] = 456, which 
is the second key. 


Notice that the keys could also be found by solving for the values of Tl and 
T2, and then finding R1IVALUE(0,T1) and R2VALUE(0,T2). Knowing both keys, we 
can easily decipher the entire file. 
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PROJECT ON SECRECY AND OPENNESS 
IN SCIENTIFIC AND TECHNICAL COMMUNICATION 


Sponsored by 
American Association for the Advancement of Science 
Committee on Scientific Freedom and Responsibility 


In recent years, the traditional concept of scientific ideas and information 
as a public good, freely available to professional colleagues as well as the 
general public, has come under closer scrutiny. The post-World War II 
increase in the economic, political, and military value of scientific and 
technical information has fostered various private and public proposals to 
restrict open communication in university teaching and research activities. 
These proposals have cited many justifications, including national security 
interests, economic competition, patent protections, and quality control, as 
the basis for limiting access to new and important research data in selected 
fields. 


Conflicts over secrecy and openness in science are essentially conflicts over 
values. In order to explore the fundamental values which promote secrecy or 
openness in science, the American Association for the Advancement of Science 
has initiated a new project through the office of the AAAS Committee on 
Scientific Freedom and Responsibility. The project, titled "Secrecy and 
Openness in Scientific and Technical Communication" is supported by a grant 
from the Program on Ethics and Values in Science and Technology (EVIST) in the 
National Science Foundation, and the Humanities, Science and Technology Pro- 
gram in the National Endowment for the Humanities. Ms. Rosemary Chalk, Pro- 
gram Head for the AAAS Committee, is the project director. 


The tradition of openness in research is the foundation for objectivity in 
science. It is through the free exchange of information and data that new 
ideas and experimental results are subjected to the rigorous test of peer 
review and verification, The origins of openness, however, have their roots 
in a period when science was essentially a private intellectual activity. 
Also, many scholars are not completely "open" in their exchange of data and 
information, Self-imposed restrictions on the release of new but unconfirmed 
theories or preliminary experimental data are quite common in traditional 
scientific work. These restrictions, which form part of the ethos of science, 
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are themselves limited by notions of fair play and equity, however, and are 
subject to abuse when stimulated by objectivies other than the protection of 
incomplete work. 


In modern times, government, industrial and university groups have increas-— 
ingly recognized the importance of applying scientific and technical resources 
to selected public and private objectives. Access to new information, includ- 
ing basic research, has emerged as a source of competitive advantage in the 
pursuit of various social, military, and economic goals. As a result, the 
concept of intellectual property has expanded in the post-World War II period 
to justify occasional controls on the disclosure of basic research findings 
supported by public or private funds. 


For example, ina series of reports describing concerns about technology 
transfer leaking advanced U.S. technology to foreign adversaries, the Defense 
Department has questioned whether the openness associated with university 
research in areas of direct military application is detrimental to national 
security interests in a time of escalating East-West tensions. 


In the commercial area, a number of firms are exploring arrangements whereby 
universities can develop research projects and academic programs suited to the 
needs of particular industries. Within such arrangements, one major source of 
concern and controversy is pre-publication review of, and patent protection 
for, new research data resulting from industry-sponsored work. 


Secrecy also results from actions within the scientific community. As per- 
sonal prestige, professional advancement and financial gains become more 
closely tied to publication, some individual scientists have indicated reluc— 
tance to exchange new research findings or materials with colleagues and 
students in the traditional manner. 


These public and private pressures foster secrecy and science. Such restric— 
tions on communication often serve legitimate and important social purposes. 
They may at times also result in arbitrary or abusive practices, or promote 
bias and the loss of objectivity in research, 


Although there is reason to believe that secrecy is increasing in science, and 
that it may affect values other than openness, very little is known about the 
ways in which secrecy or openness influence the conduct of scientific 
research, It is for the purpose of encouraging attention to such relation-— 
ships, and the values which affect professional behavior and education, that 
the AAAS Committee on Scientific Freedom and Responsibility has initiated the 
new project. 
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The AAAS project will consist of a series of background papers and regional 
seminars to be organized in 1984. Ten background papers will be commissioned 
through the project. Five projects seminars will be held in Boston, and one 
each will be held in Chicago, Nashville, San Diego and Washington, D.C. A 
project symposium will also be held as part of the 1984 AAAS Annual Meeting in 
New York. 


Co-sponsoring institutions are: 


American Association for the Advancement of Science, Committee on 
Scientific Freedom and Responsibility 


Center for the Study of Ethics in the Professions, Illinois Institute 
of Technology (CSEP/IIT) 


Management of Technology Programs, Vanderbilt University 


Program in Science, Technology and Society, Massachusetts Institute 
of Technology (MIT) 


Science, Technology and Public Affairs Program, University of Cali- 
fornia, San Diego (UCSD) 


Science, Technology and Human Values 


Regional hosts for the project are: Rosemary Chalk, AAAS project 
director, Washington, D.C.; Robert House, director, Management of 
Technology Program, Vanderbilt University; Marcel La Follette, 
editor, Science, Technology and Human Values, MIT; Sanford Lakoff, 
professor of political science, UCSD; and Vivien Weil, senior 
research associate, CSEP/IIT. 


Advisory committee members guiding the development of the AAAS project are: 
Loren Graham, professor of the history of science, MIT; Harold P, Green, 
professor of law, George Washington University; Lee Grodzins, professor of 
physics, MIT; Louis Menand, senior lecturer in political science and special 
assistant to the provost, MIT; and Eugene Skolnikoff, director of MIT Center 
for International Studies. 


Further information about the project can be obtained from Rosemary Chalk at 
American Association for the Advancement of Science, 1515 Massachusetts Ave. 
NW, Washington DC 20005 or call (202) 467-5238. 
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HAND-HELD CRYPTO DEVICE SEC-36 
LouIS KRUH 


Tadiran Israel Electronics Industries Ltd., Tel Aviv, Israel, manufactures a 
line of communications security terminals and devices including the Digital 
Data Crypto Device SEC-15, which provides ciphering/deciphering of digital 
information for transmission over terminal-to-terminal radio or wire links; 
Secure Communication Terminal SEC-22, a state of the art digital narrow-band 
voice ciphering terminal; Secure Communication Terminal SEC-13, a digital 
ciphering/deciphering system designed to provide maximum security for tactical 
and data communication; and Hand-Held Crypto Device SEC-36, which this article 
will review. 


Hand-Held Crypto Device SEC-36 


DESCRIPTION 


SEC-36 is a hand-held, battery powered military crypto device intended basi- 
cally for tactical applications, The unit is operated off-line and provides 
encryption of messages for secure transmission over radio or wire communica-— 
tion channels. 
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The SEC-36 software incorporates an algorithm which encrypts the plaintext 
message in conjunction with a randomly generated key code supplied by the 
operator. The totally random code makes the ciphertext produced theoretically 
unbreakable, even when unauthorized persons gain knowledge of or access to the 
equipment. Decryption is possible only when the SEC-36 units at either end of 
the communication channel are set to the same algorithm and the same key code. 


The SEC-36 features a five-character LED display and a push button keyboard 
with full alphanumerics and various function keys. The 3-level memory has a 
capacity of 90 five-character groups. Full editing facilities allow any part 
of the message to be recalled for review or amendment from any of the memory’s 
levels (plaintext, code, and ciphertext). 


OPERATION 


Encryption 
The encryption process involves all three levels of the memory : 


PLAIN level 
CODE level 
CRYPTO level 


Operate the PLAIN level key and type in the plaintext message in groups of 
five characters, using the alphanumeric keys. The LE-NO key selects alphabe- 
tic or numeric characters; the BLK key must be operated for each blank space 
in a group. 


As the group is keyed in, it appears in the display. A dot above the first 
(left) character indicates that the memory’s plain level is activated. A 
short beep is heard each time a five-character group is typed in and no more 
data can be entered. When a group is completed, operate the ENIR key to enter 
the group into the memory on plain level and clear the display for the next 
group. Repeat until end of message. 


Operate the CODE level key and use the alphanumeric keys to type in the code 
sequence similarly in groups of five characters. (To ensure Ciphering of the 
entire text, one code character should be entered for each plaintext charac— 
ter. The crypto level key is therefore inactivated until the correct number 
of code groups has been entered.) In the display, a dot above the middle 
character indicates that the code level in activated. After completing each 
group, press the ENIR key to enter the group into the memory on code level and 
clear the display. 
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Press the CRYPTO level key. The first group of ciphertext will appear in the 
display. A dot above the last (right) character indicates that the read-out 
comes from the memory’s crypto level. Operate the ENIR key to display the 
following groups of ciphertext one by one. After noting down the ciphertext, 
the written enciphered message is ready for tape punching or transmission over 
the communication channel. 


If the same message is to be transmitted to several recipients, security 
requires that for each recipient a different code sequence be used, The CLEAR 
CODE key —- pressed twice for protection —- will clear the memory's code level 
without affecting the basic message stored on plain level. This permits 
entering new code sequences and obtaining a different ciphertext of the mes— 
sage for each addressee. 


Decryption 


The procedure for decryption is the same as that for encryption: 


Press the PLAIN level key and enter the received ciphertext by means of the 
alphanumeric keys. Operate the ENTIR key after each group. 


Press the CODE level key and enter the code sequence (obtained from an exter- 
nal source according to the identification group communicated by station of 
origin). Operate the ENIR key after each group. 


Press the CRYPTO level key. The display will show the first group of decryp- 
ted plaintext. Operate the ENIR key to obtain the following groups one by 
one. 


For editing or other purposes, the unit permits the user to recall to the 
display the plaintext, ciphertext or code sequence. Direct random access to 
any group stored in the memory is also available by selecting the appropriate 
level (level keys), operating the NUM key, and keying the desired group’s 
address number. Corrections are made by using the ERS key which erases the 
contents of the display and permits a corrected group to be entered instead. 


In response to specific questions, the company has said that the algorithm 
used in the SEC-36 is a Vigenere type, and the degree of security is dependent 
on the one-time key; the software which incorporates the algorithm is change-— 
able; the unit is aimed at applications where the users need simple, unsophis— 
ticated means for multi-task encryption; and the price, for reasonable quanti- 
ties, is about $5,000 per unit, with military specifications. 
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CIPHER EQUIPMENT 
LOUIS KRUH 


The Sidney Hole Cryptographic Machine, located in the Science Museum in 
London, is an impressive looking mechanism and unusual in that it uses com- 
pressed air in its operation, 


Two of the machines wee manufactured in 1926 for the British War Office ata 
cost of 375 pounds each, 


Our thanks to Donald W. Davies for a fine detailed description of a fasci- 
nating cryptographic device. 


SIDNEY HOLE'S CRYPTOGRAPHIC MACHINE 
DONALD W. DAVIES 


Sidney Hole'’s Cryptographic Machine 
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This machine was patented in Britain in 1926 (Nos 207, 257, 239, 341 and 271, 
955) and then in many other countries, but only one patent seems to have been 
obtained in USA (#1,684,028 in 1928) and Canada. The details here, and the 
drawings are from the Australian patent. 


Two machines are held by the Science Museum and were inspected at their Hayes 
store. One seems to be an early development model and made rather crudely. 
The other is substantially the same as the drawings in the patent. In a 
parcel with the machine were many detailed drawings, many patent documents and 
a single page from the firm which made the model, which gives a little frag- 
mentary history. 


The better machine was examined. Almost none of its mechanism would move, due 
to corrosion though the parts looked undamaged. The rotors (see below) would 
rotate and some parts moved stiffly, otherwise nothing moved. 


ey 


Figure 1. 


The photograph and Figure 1 show the layout. Two modified typewriters are 
connected via a pneumatic rotor machine. The 28 keys of typewriters can 
either operate valves to apply suction to a pipe or receive suction from that 
pipe to actuate the key. Each of these functions is chosen by moving a slide 
composed of 3 bars passing through all the valve/piston assemblies, see Figure 
2. By changing over the functions, encipherment or decipherment is performed, 
for example encipherment by pressing keys on the left typewriter to actuate 
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keys on the right via the rotor machine and decipherment by pressing keys on 


the right to actuate keys on the left. 
each case by the typewriter mechanisms, 


en ee 


Figure 3. 
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The space bar has been removed. Spaces are shown by full stops in the text in 
the photograph. The shift mechanism is available but set manually on each 
machine separately. The carriages are linked mechanically to move in step. 
How the escapement of one is taken out of action to allow the other to drive 
was not clear. 
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Figure 4. 


Figure 3-7 show the rotor mechanism. It has 5 moving cylinders, each with 28 
holes through it. Each one permutes the vacuum connection, 28 rubber pipes 
connect the ends to the typewriters. 


A cylinder or rotor is made from 3 parts (see Figures 6 and 7). The outer 
parts carry grooves connected to the holes on the faces. The inner part is a 
thin plate with 28 holes to connect the grooves together. Like a 2 layer P. 
C, board this allows, in principle, any permutation of connections, but those 
actually used were rather limited (if less regular than the one shown by 
Figure 5). Like any rotor machine the permutation of letters is changed by 
rotating the cylinders, using the ratchet on one of their parts. The ratchet 
teeth are labelled A-Z. (number) where the number identifies the rotor type. 
By this means, initial settings can be listed. 
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Figure 7. 


In principle the pipes can be moved to new places. Their fit is a tapered 
plug, now corroded and fixed. Also the right hand end plate can be rotated if 
pin 45 is pulled but that is also stuck, By removing nut 43 (stuck) the rotor 
mechanism could be disassembled and the rotor changed. No spare rotor 
cylinders were provided. 


The movement of the rotors is determined by carriage movement. Hence, a 
particular rotor steps on at a particular column on the printed messages. It 
will be seen that complete carriage movements are enforced, and the fixed 
sequence of rotor steps is the same on each line of message. 
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The frame linking the carriages holds 5 toothed racks shown as 64 in Figures 
Each rack actuates a follower 83 (Figures 8, 11) which 
moves a valve 82 (Figures 8, 12) which applies suction to a cylinder 70 


3, 4, 8, 9, and 11. 
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Figure 8. 
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(Figures 8, 9) with a piston 71 to move a pawl 76 (Figure 9) to step a rotor 
cylinder. There are five of thee followers, valves, pistons and pawls. The 
valves are connected to the cylinders by five rubber pipes 89. The vacuum 
supply is 91 (two pipes). The return of each piston is by a spring, sucking 
air back, though where from is not clear, 
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Figure 9. 
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The racks have ratchet type teeth. It is the upward movement of the follower 
over the edge which triggers the stepping pawl. The return of the pawl is 
gradual, due to the slopes of the rack teeth, but this is immaterial since the 
rotor never moves more often than once in 5 characters. 
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Pawls 54 (Figure 5) prevent reverse motion of the rotors but can be withdrawn 
by a lever to allow initial setting. Pawls 77 (Figure 9 and 10) probably 
prevent forward motion when the piston is returned. They withdraw as the 
pistons operate, see broken lines in Figure 9. An arm 78 withdraws these 
pawls for initial setting. 


Figure 13. 


The teeth of the racks would catch on the followers to prevent the carriages 
returning, and this does prevent premature carriage return, At the end of 
travel, cams 94 (Figures 3 and 11) press the followers down beyond their 
normal travel and allow detents 95 (Figure 11) to catch them. They remain in 
this position until the carriage is completely returned when pins 96 on each 
rack (Figure 8) knock off the detents and let the followers fall back into 
action, This mechanism ensures that the cycle of rotor stepping is the same 
on each carriage movement and that each carriage movement is complete. In the 
photograph it seems that the lines of message have been completed to the end 
by full stops ... etc. 


Fig H. 
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Figure 14. 


The five racks have a pattern of teeth which is part of the key to the cipher. 
They were removable be slackening the knurled nuts 164 (Figure 8, 11). Each 
rack on the model inspected was double-sided, The inventor suggests that a 
set of racks be used as a physical key to transport to the authorized cipher 
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machine. He also suggests different methods of constructing this control 
element — a "barrel of racks’ in Figures 14, 15, 16 or a rotary controller in 
Figures 17, 18 or a pneumatic rotary controller in Figures 19, 20. 


Figure 16. 


Given the five rack system examined, arbitrary use of the 10 side is not 
suitable if we require that at least one rotor should move at each carriage 
movement, The actual racks show great regularity. Mostly, the five rotors 
move in sequence, except that one rack in use had some steps missing and 
another had missing steps on its upper, unused side. The patterns were not 
recorded. In particular, the number of rotor steps per carriage movement on 
each rack should be prime to 28. The only evidence we have is in Figures 3 
and 14 which show 11 steps in each case. The possibility of stepping more 
than one rotor at a time does not seem to have been exploited. After 28 lines 
of type have been printed, all rotors will have returned to their initial 
positions — a considerable weakness. 
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In its present state there is no way to decide how reliable the machine would 
be. The carriage movement probably took place as the typewriter key was 
released. This movement triggered the rotor movements, Was the carriage 
movement sufficiently precise? Did the rotors move fast, so that another key 
could be depressed soon? It is probable that the strokes must be made delibe- 
rately, as in a teleprinter. 


Figure 17. Figure 18. 


It is possible that the machine could be restored to operation, by careful 
work. The detailed design and construction was by the Accounting and Tabu- 
lating Corporation of Great Britain Limited, later absorbed, as Power-Samas, 
into ICT and subsequently ICL. Its construction seems to be solid and 
precise. The bulk and weight and the need of a vacuum supply were the main 
drawbacks. 
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RSA Development Systems: 


Merritt Software, Inc. is the leading producer of public key security products. 
RSA applications have long been our special area of interest and primary focus. 


As a result of our extensive work in RSA technology, we now offer special de- 
velopment systems that bypass many pitfalls associated with such research. 
Our superior mathematics and comprehension of RSA gives a distinct advan- 
tage to any serious researcher using this system. Some of the most sophisticated 
R & D organizations have already saved valuable time and man-power produc- 
ing useful results in the lab. 


Our RSA-D systems are highly flexible and capable of answering your most 
basic questions. 


* Analyze P&Q values versus computational speed, key size and security 
* Self optimizing math pack produces greater speed with smaller numbers 
* High precision math pack handles numbers up to 165 digits 

* Find nearest valid E to number that you supply, given P and Q 

* Generate primes where P-1 contains a large prime factor 

* Interface to system is through standard serial port 

* Find nearest prime to number that you supply 

* Device can double as a flexible PK workstation 

* Find D, given P, Q& E 

* Self-test mode 

* Do it all quickly, easily and reliably - the same way we do 


MERRITT™ SOFTWARE, Inc. 


P.O. Box 1504 e Fayetteville, AR 72702 
(501) 442-0914 
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LITERATURE REVIEWS 
LOUIS KRUH 


KRUH ON KAHN ON CODES 


Macmillan Pub. Co., 866 Third Ave., New York 10022. 1983. 343 pp. 
$19.95. 


Kahn, David. Kahn on Codes: Secrets of the New Cryptography. 
NY 


As an author, David Kahn is usually associated with his first book, that 
massive tome which has become a classic, The Codebreakers. 


His many articles, whether they appear in scholarly publications such as 
Aerospace Historian, The Historical Journal or Isis; technical journals like 
Cryptologia or Computers and Security; society journals like The Cryptogram; 
intellectual outlets such as The New York Times Book Review or The New 
Republic; establishment journals like Foreign Affairs; or initially delivered 
as a keynote address at an international historical conference; or as a state- 
ment to a United States Congressional Committee; individually appear insigni- 


ficant compared to that weighty, encyclopedic work. 


But, when 28 of his best articles are assembled in one volume, it not only 
casts its own shadow, it also disproves the axiom which claims, "the whole is 
only equal to the sum of its parts." There are at least three reasons for 
this. The reprinted stories as a group are better than their original ver-— 
Sions because they are updated or corrected as later events have dictated; 
many of the articles which appeared in publications whose format did not allow 
for footnotes, or were delivered as talks, have been carefully documented with 
extensive references; and, of course, there is the convenience of having them 
all in one volume. 


This excellent collection is arranged in seven sections: "Uncovering Crypto- 
logy’s Past," "Overviews," "Historical and Technical Studies," "The Politics 
of Cryptology," "Book Reviews," "Codes in Context," and "The Future." 


The articles include stories of Kahn’s meeting with famous European cryptolo-— 
gists, an analysis of codebreaking in World War I and World War II, a 
searching examination of NSA, a study of military intelligence in action, 
Opportunities for further historical research in cryptology, and much more. 
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One article was written expressly for this book, "The Spy Who Most Affected 
World War II." For that distinction, Kahn designates Hans-Thilo Schmidt, an 
obscure Nazi party member, who was a civilian clerk in the German Signal 
Corps. Schmidt was the spy who delivered documents that Polish cryptanalysts 
used to solve the German Enigma cipher machines. This article reveals for the 
first time the background and details of this virtually unknown man and his 
unparalleled betrayal which had such an enormous impact on the outcome of 
World War II. 


Besides being a comprehensive and exciting account of notable cryptologic 
events, the book is a genuine bargain with its price only a fifth of what it 
would cost to buy copies of the publications in which the original articles 
appeared. 


"INSIDE" NSA? 
Bamford, J. The Puzzle Palace: A Report on America’s Most Secret 


Agency, Houghton Mifflin Co., 2 Park St., Boston MA 02108, 1982, 465 
pp., $16.95 


This is the most comprehensive book ever written about the National Security 
Agency and it contains an amazing amount of detail starting from its inception 
as MI-8 in WW I to the present day. Its origin is traced through H. 0. 
Yardley, W. F. Friedman, Pearl Harbor, WW II, and the various studies/commit— 
tee investigations on unification of cryptologic activities, which ultimately 
led to President Truman's still secret 1952 memorandum establishing NSA. 
Bamford describes NSA’s Fort Meade headquarters -- he refers to it as SIGINT 
City — the physical layout and organization, how it operates, its worldwide 
influence, and many of its senior officials, President John F, Kennedy once 
told the intelligence community, "Your successes are unheralded; your failures 
are trumpeted." As if to underscore the truth of that remark, Bamford is only 
able to relate few of NSA’s triumphs but, almost with excessive zeal, reveals 
all of its warts, and virtually all are twice-told tales. Where the author 
has found new information, particularly dealing with personalities, as in most 
of the chapter on cooperation between the British GCHQ and NSA, it makes for 
interesting reading. On the other hand, the section on NSA’s complex network 
of listening posts with details on antennas, circuits, microwave signals and 
locations of secret sites, which is the book’s largest chapter and contains 
new data, will undoubtedly be dull to many readers except for those inimical 
to NSA’s mission, 


A great deal of information was derived from an assiduous study of NSA’s 


almost 30-year old, unclassified 20-page monthly newsletter, which the author 
wrangled from the Agency, from extensive research among the Friedman Papers at 
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the George C, Marshall Research Library, and many interviews with former NSA 
officials, The overall result is a fascinating glimpse at previously unpub- 
lished items about Friedman, Callimahos, a host of other lesser known key 
officials, and the intriguing life and times in SIGINT City. 


INTELLIGENCE BIBLIOGRAPHY 


Constantinides, G.C. Intelligence and Espionage: An Analytical 
Bibliography. Westview Press, 5500 Central Ave., Boulder, CO 80301, 


1983, 559 pp., $60. 


The author, who has spent almost 25 years in U.S. government intelligence and 
national security work, has justifiably described his book as "the most com- 
prehensive and thorough bibliography of English-language nonfiction books on 
intelligence and espionage to date." It is an enormous work with knowledge- 
able comments, most of them a page or more, on close to 500 books. Ina 
special category index the author has divided them into 54 categories. The 
bibliography itself is arranged by author. One of the categories is Communi- 
cations Intelligence, Cryptology, and Signals Intelligence which contains 40 
books. Constantinides demonstrates a familiarity and expertise in the subject 
matter with incisive comments and cross references in many of his annotations, 
In his remarks on Yardley’s American Black Chamber, he provides views from 
five other authors and suggests areas in Yardley’s career which still need to 
be explained. With Lewin’s Ultra Goes To War, he refers to reviewers of the 
book as well as other authors to point out inaccuracies and to remind us that 
because much Ultra material is still secret, the full story has not yet been 
told. In his overall excellent appraisal of The Codebreakers, he expresses 
possibly an insider's view that Kahn’s assessment of Friedman as being respon- 
sible for the U.S.’ cryptologic superiority is questionable. Other worthwhile 
comments abound in this outstanding reference work which will be consulted 
frequently by persons seeking a guide to intelligence literature. 


YARDLEY'’S CHINESE BLACK CHAMBER 


Yardley, H.0. The Chinese Black Chamber: An Adventure in Espionage. 


Houghton Mifflin, 52 Vanderbilt Ave., New York, NY 10017, 1983, 225 
pp., $13.95 


In 1938, Chiang Kai-shek, head of the Nationalist Chinese government which was 
fighting a desperate losing battle against the Japanese, engaged Yardley to 
come to the war torn capital of Chungking to set up a Chinese version of the 
American Black Chamber Yardley had organized and directed in New York, This 
manuscript, hidden for over 40 years, is the story of his adventures and 


i129 


CRYPTOLOGIA APRIL 1984 


intelligence exploits in China from 1938-1940. Most of the account is a 
fascinating glimpse of life in a strange society of Chinese characters, Eur o- 
pean traders, politicians, generals, spies, traitors, mistresses and other 
colorful personalities. Few of Yardley’s cryptanalytical episodes are 
included but he does describe, step-by-step, how he solved a cipher which used 
a public Chinese code book superenciphered by a book cipher. The book has an 
introduction by James Bamford, author of The Puzzle Palace, with additional 
details of Yardley’s experiences in China. It concludes with "Memories of the 
American Black Chamber", a brief memoir by the author’s wife, Edna Yardley, 
who is its last surviving original member. 


CODES IN THE ETHER 


Monitoring Times, 140 Dog Branch Road, Brasstown NC 28902. Issued 
monthly, 32 pp., $10.50 for one year, $20.00 for two years. 


This 32 page tabloid newspaper is written for shortwave listeners and scanner 
buffs. It usually has a feature on clandestine stations including spy number 
broadcasts, i.e., stations transmitting messages in numerical code. A recent 
issue contained articles on Basic Codebreaking and Japanese messages sent 
before the Pearl Harbor attack. It covers other offbeat listening areas such 
as satellite reception, monitoring the AWACS Net, nuclear shipments, etc. and 
provides the frequency lists. Other features review equipment, books, provide 
advice on getting started and improving your operation. Free sample copy 
available on request. 


BIOGRAPHY OF ALAN TURING 


Hodges, A. Alan Turing: The Enigma, Simon and Schuster, 1230 Ave. 
of the Americas, New York NY 10020. 1983. 587 pp. $22.50. 


Alan M, Turing was an English mathematical genius whose name is perpetuated in 
the annals of computer history for the Turing machine, a theory and, even- 
tually, a device he invented. His work, starting in the mid-1930s, was the 
theoretical foundation for the modern digital computer. 


Lesser known is his leading role at Bletchley Park, where Government Code and 
Cypher School cryptanalysts were confronted with improved Enigma ciphers when 
the Germans upgraded their communications security. Instead of using six or 
seven plugboard connections, the Enigma operators started to connect ten pairs 
of letters; and the number of available rotors was increased from three to 
five. There are 150,738,274,937,250 ways to connect ten pairs of letters, and 
with just three rotors there are six ways to arrange them — but with five to 
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choose from, the number of possibilities jumps to sixty! Polish crypt-— 
analysts, who first broke the Enigma cipher and developed the Bombe, an elec— 
tromechanical device to run through all possible rotor positions, simply 
didn’t have the technical resources to continue, and their information was 
given to the British and the French, 


Turing, with the assistance of Gordon Welchman, developed a new Bombe 
embodying a new concept and a new design which helped to decrypt the new 
Enigma system in speedy fashion, 


Later, Turing was assigned to work on the German Naval Enigma which at that 
time still used three rotors but they were chosen from a group of eight which 
produced 336 possibilities. Turing's analysis demonstrated that decryptment 
would be impossible until additional enciphering information could be cap-— 
tured. In the interim, he developed the mathematical theory that was required 
to exploit the information when it became available. 


When teleprinter-enciphering machine traffic known as "fish" was being 
analyzed, one of the most important and general methods was invented by Turing 
and became known as Turingismus. 


This detailed biography covers Turing'’s life from birth to his untimely death 
in an intelligent, exhaustive and very readable style. Because the author is 
also a mathematician, he is able to explain and make comprehensible the tech-—- 
nical passages dealing with Turing’s cryptanalytical and mathematical achieve-— 
ments, It is the kind of biography you wish would be done for William F. 
Friedman, 
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ON KULLBACK'S x-TESTS FOR MATCHING AND 
NON-MATCHING MULTINOMIAL DISTRIBUTIONS 


BORGE TILT 


ABSTRACT: This paper concerns the y-tests (cross-product sum tests) 
introduced by Solomon Kullback in 1938 ("Statistical Methods in 
Cryptanalysis") to test for matching or non-matching of parameters of two 
multinomial distributions with known and identical sets of parameters, 
namely the probabilities. Our main result is the demonstration of an 
error in the given expression for the variance of x in the case of non- 
matching distributions. 


KEYWORDS: multinomial distribution, cross-product sum tests 


Among the tools of the cryptanalyst is the cross-product sum test, or x-test, 
devised by Solomon Kullback in 1935. Later, in 1938, it was described in his 
"Statistical Methods in Cryptanalysis," which, however, was not declassified 
until quite recently [1]. 


The probability distribution of the test variable x will often be well 
approximated by a normal distribution, thus requiring knowledge of mean and 
variance only. Kullback gives formulas for mean and variance of x in two 
cases: (1) matching distributions, and (2) non-matching distributions. Our 
main objective is to point out an error in the expression for the variance of 
xy in the case of non-matching distributions, and to derive the correct 
formula. 


We give mean and variance of y for both matching and non-matching 
distributions. We also derive the mean of x in an intermediate case not 
discussed by Kullback, partially matched distributions, 


THE CROSS-PRODUCT SUM 
The distributions in question are two multinomial distributions with paramters 
(N, ; Py >Po2+++sPy) and (No ; Ty 27s eee oy )> respectively, where (p: ) and (m5 ) 


are Perales bA0as of the n probabilities in a set {h,} with 0 <¢ hy z 1 for k = 
1 oe and Denby, = 1. The pairs (py .74); (Dy sty) eees (pone ) are formed 
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according to a specification depending on the particular case, but the order 
of the pairs does not matter. 


Suppose a single observation is made of each multinomial variable, and let 
(a,,85,...,8,) and (bj ,b5,...,b,) denote the results. Thus, for instance, a. 
(i = 1,2,...,n) is the number of times outcome number i has occurred in Ny 
independent trials, where outcome number i (i = 1,2,...,n) occurs with 
probability P;. The cross-product sum is 


n 
xX = Ps ie (1) 
Instead of x we will sometimes consider the variable 
n 


which is a cross-product sum of the relative frequencies. 
We shall discuss the probability distribution of x(x/N,N>) in three cases 
distinguished by the method of pairing p's and 7's. Generally, some pairs of 
identical p and 7, possibly none at all, are matched in advance, and the 
remaining p’s and x’s are paired at random. 
MATCHING DISTRIBUTIONS 

This is the case where all p's and z’s are matched. Thus p; = a; for all i. 
The ordering of p's (z's) is immaterial as far as the probability distribution 
of x is concerned, In [1, p.52] it has been shown that mean and variance of x 
are, respectively, 

Vix] = NyNo[(Ny+N5) (sg-s3) + (so+s3-2s3)1], (4) 
where sy = oe and sz = he. 


Always, sz — s3 2 0, and sy + s3 — 2s3 > 0. 
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By (3) and (4), 


(1/N, + 1/Ny) (s3-s3) + (s9+83-2s3)/NNp. (6) 


Thus, whereas E[y/N,N)] is a constant, independent of Ny and Ny, VIx/N,Ny] is 


a decreasing function of N, and N,. In fact, 


V[x/N,No] —> 0 as Ny.N) —> @. (7) 


NON-MATCHING DISTRIBUTIONS 


Here, none of the p’s and a's are matched, so all p’s and nm’s are paired at 
random. We shall prove 


E[x] = N,N, -4, (8) 

Vogl = NN [Ny (sy - 4) + (4-9) 1 ENa (89 -1) + (1-89)] sie 
where sy-1/n and 1-s) ) 0. Equivalently, 

Ely/N,No] = 2, (10) 

Vix/N,Ny] = [(sy—t) + (1-s9)/Ny] ‘LE (sp - 4) + (1-s9)/NQ] , “ 


n-1 


Again, E[x/N,Ny] is a constant, independent of Ny, and Np, and VI[x/N,N5] is 


decreasing in N, and Ny. However, VIx/N,N,] does not, in general, converge to 
0, since 


(so - 4)? 
V[x/N,N,] —> —“—"— as Ny, N, > © (12) 


pga 


It is worth noting that in the special case of a flat distribution, that is h, 


= 1/n for all k, it makes no difference whether p’s and z's are matched or 
not. In this very special case s, = 1/n and s3 = 1/n®. Substitution of these 
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values into both Eq.(3) and Eq.(8) gives Ely] = NN, “h and substitution into 
both Eq.(4) and Eq.(9) gives V[x] = N,N, °:(1 - 3). 


Kullback’s formula for V[y] in the case of non-matching distributions is not 
in agreement with our Eq. (9). According to Kullback [1, p.53], 


- $9 1,,1, 1. 282 (Kul lback, 
Vind = NAN) L(N4N,) (2 - 4) + b+ 4 - 21, Eq. (24..7)) 


by which VI[x/N,N,] > 0 as N,, Ny > Only if N; = 1 or Ny = 1, or if h, = 
1/n for all k, does the above formula give the same result as our Eq.(9). In 
any other case it will underestimate the true value of the variance. 


Method of Proof 


For the purpose of proving Eqs.(8) and (9), we accomplish the required random 
pairing of p’s and 1's by letting (Dy sPo>+++sPy) and (714 5719000 2My) be two 
independent, random permutations of the probabilities in the set {h,}. 


We shall derive Ely] and E[,7] which give us both E[x] and Vix] = Ely] _ 
(E[y])“. The line of proof for E[y] as well as Elx“] is: first find the 
conditional mean given fixed permutations (Dy sPos+++sPy) and (1455000 5Ty) > 


and next derive the unconditional mean by letting (py .Po++++sPy) and 
(711 ,7195++++M,) be random permutations. 


Derivation of Ely] 
The conditional mean, given permutations (p;) and (7;), is 
Ely | (p;),(7,)] = E(Z5_1,5;] 


= D5_7Ela,JE[b;] 


! 
= Ejay (NpPy) (N74). 
Thus, 
_ n 
Ely | (p;),(7,)] = Ny N52 5 4P57j- (13) 
Unconditioning, we let (p,) and (m5) be independent, random permutations. 
Thus p; and 7; are independent, with E[p;] = E[z;] = T= by ~ = S» for all i. 


Hence, 


Ely] = ELEly | (p;),(73)1] 


n 
EIN{N)%j=1P 374] 


N,N E51 E[p,JEIn;]. 


135 


CRYPTOLOGIA VOLUME 8 NUMBER 2 


Thus, 
Ely] = N,N, 2. (8) 


We remark that Eq.(8) follows easily from the observation that y is the total 


number of identical outcomes among the N,N, pairs of trials, and that, given 
random pairing of p’s and a's, the probability of identical outcomes is 1/n. 


Derivation of Ey] 


Again, we begin by deriving the conditional mean, given permutations (p;) and 
(m.). 
i 


EL” | (p;),(7,)1 


Fist, 2,6, )7) 


2.3 -1 
E(D3_4ajb¢ + 20g_424 


jait 24 2;>4>;] 


2 Z —Lon 
Eja1ElaqIElbz] + 2554 E0_ 5 4Elaja,JE[b;b, 1. 
Now, a; is a binomial variable with mean Njp; and variance N,p,(1-p;), so that 
Ela‘) = Nip; (1-p;) + (Nyp,)?. Furthermore, Elaja;] = Ny (Nj-1)p;P;. The last 
formula is derived as fcllows: Elaja;laj] = a;ELa; [aj] = aj (N)-a;)p;/(1-p,), 


Elaja;] = E[Ela;a;la;]] = (NjE[a;] - Elaz])p,/(1-p,) = N,(N)-1)p;p;, using the 


iPj 
expressions for E[a;] and Ela7]. Similarly, E[b7] = Noa; (1-7;) + (Nyn3)? and 


Elb;bj] = Ny (Np-1) 7 57 j. By insertion of these expressions we 
obtain 


ELC | (py). (y)] = ER (Nj (Nj-1)p2 + Nyp,) (Ny(Ny-1)12 + Non,) 
+ 2 SE TER iad (Ny (Nj-1) pgp ,) (Ny(Ny-1) 475). 
A rearrangement gives 
EL” | (pq), (m4)] = NyNy(Ny-1) (Np-1)3_,p2n2 + NANOE"_ p.7, 
* NAN (Nj-L) EE yim y+ NyNy(Ny-1)E2_yp 31? 


09 eyn-1 
. NN, (Nj —1) (Np-1) 2 B12 j=441PiP 5745. (14) 
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Unconditioning, but utilizing only the independence between (p,) and (7;), 


EL] 


EIEL? | (p;),(2,)1] 


Nj Ny (Ny-1) (Nj-1) 52_, Elp2]E[x7] + N,N E"_,Elp, JELn,] 
+ NyNy(Ny-1)E"_,Elp7]E[1,] + NyN>(Nj-1)52_, Elp, JE(x7] 


+ NN, (Ny-1)No-1) *2°EEGEE 5 El sp, JEln gn 51. 


Since (p;) and (m;) are random permutations, we have 


Elp,] = Eln,] = t_,h, += 2 (4=1,2,...00), 
2) = Btn?) = 21_ 82 ” 
Elp3] = Elxj] = Tea by _ = = (91 25500), 


Elp,p;] = E[n 47 5] = 5 ap a qe) 


(x_,r2_ hh, - ER_,h)/n(n-1) 


we (i4j). 


n\n- 


Substitution of these expressions for the means results in 
2 sf 


S 


caine (1-sy)? 


where n(n-1)/2 is the number of terms in the double sum. 
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Thus 

y) sh 1 $9 (1s)? 
E[x ] = N, No [(N,-1) (N,-1) <= n 2 (Ny +Ny-2) —n + (N,-1) (N,-1) rey (15) 
Derivation of VIy] 


Insertion of the above expressions for Ely] and E[y71 into the formula VIx] = 
E[x*] - (ELy])*, and collection of terms, give us 


$9 (1-s»)? 1) 
Vix] = N,N5 [Ny ny (9 7 nm-D ™ my i 


2 2 
(1-s9) 
+ (NAN) (- “2 + -2 - 2) 


1 289 (1-89)? 
n nn * a@etD”’?* 


2 
+ (=2 + 
This reduces to 


2 1 2 
VIx] = NyNy [N,N, Ss2_— a B+ (N+N))—2_2_, + say . (16) 


Finally, by factorization of Eq. (16) we obtain Eq. (9) above. 
Variance decomposition 


Observe that, by Eq. (16), 


(sy - 4)? (sy - b)(1-s9) | 4 (1-89)? 
VIx/N,Nj] = —2—-2— + (x +t i eI) 


The variance V[x/N,N»] may be split into two components due to random pairing 
and multinomial sampling variation, respectively. By application of the well-— 
known general formula V[X] = V[E[XIY]] + E[V[XIY]], see for instance [2,p.97], 
we conclude that 


VIx/NyNj} = VIEL[x/NyN, I (p3),(0,)]] + ELVEx/N|N,I(p3),(0,)]] . (18) 


The right-hand side of Eq. (18) is the sum of the variance of the conditional 
mean, given (p;) and (z;), and the mean of the conditional variance, given 
(p;) and (m5). 
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We shall show that 


_1)2 
VIELy/N Np I(p,)4(n,)1] = S222, (19) 
1) (1-s») (1-sy)? 
ELVEx/ NN | (pq) o(04)]] = (ge + ee ee ee ae (20) 


First we prove Eq.(19). Note that by Eq.(13), 


VIE[y/N,Ny | (p;)4(0,)1] = VIE8_,p,05] = EL(23_,p,x,)7] - (ELE%_,p,7,1). 


1= 


The use of previous results gives 


2 2 
n 2 22 - 82, {1-s9) 
E[ (2, _4p37;) ] = E(x _4P 7G] r tO me ri =4+1P4Pj"i i” j ] ad nh + n(n-1)_ 9 


a 
E[ES_1P374] ~ n°? 


Hence, 
2 ms Be _ 1,2 
VIELx/NNyI(p,)-(n,)1] = 2+ SoS2h a, = Sa 


This proves Eqgq.(19). Eq.(20) follows therefrom by a comparison of Egqs.(17) 
and (18). Notice, the latter variance component goes to 0 as N, and No go to 
infinity. 
The error 
Kullback’s Eq.(21.7) is in error. The reason is an incorrect evaluation of 


the mean of the term 2°52 aay 141P4Pj747; in our Eq. (14). Kullback makes use 


of the identity ij 


n-1 22 
BEE gE jm ieaPaPyTatj = EfeaPaty)” — PpaaPyG » 


but ai sigma asserts that the mean of the right-hand side equals 


1/n? - s3/n, True, ELD_ pon 7] = s3/n, However, 


EL (t_jp,74)7] > (ELS3_,p,1,])? = 1/n’, 
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with equality holding if and only if p; = 1; = 1/n for all i. 


It follows that the mean of the left-hand side (2 x doublesum), and hence 
E[x“] and VI[y], have been underestimated, A simple calculation shows that the 
underestimation of V[x/N,N,] amounts to 


25 


Thus, d > 0 except when N, = 1, or Ny = 1, or sy = 1/n, that is, if pj = 71; = 


1/n for all i. For large ‘ and Ny, d will nearly equal the variance of the 
conditional mean, given (p; and (m;), see Eq.(19). 


Finally, we note that the error through V[x] has caused an error in the 
formula for the variance of ® = X%_,(a,+b;)(a;+b;-1), also in the case of 


non-matching distributions, see [1, p.49, Eq.(20.4)]. 


PARTIALLY MATCHED DISTRIBUTIONS 


The two cases already discussed, namely matching and non-matching 
distributions, are the extreme cases in a general model in which any n, 
0O<m<{n, pairs of identical probabilities are matched in advance, and other 
probabilities are paired randomly. 


For the general model we shall give a formula for the mean of x/N,N. Let m 
denote the number of vai and call ihe matched probabilities h,,...,h,. 
That is, we assume p, = Le Pn = Mm = Dye While the remaining p’s and 
m’s are randomly net e first _ we easily derive 


EL xl (p; ), (1; J = N,N, ( a_i + Dim Pi7 4) © 


Clearly, for k > m, Elp,] = Elm,] = (1 - L5_,h,)/(n-m), so that 


(1 - S84h;)? 
n 


—m 


E[y/N,N,] = x_,h? + (0 < m< 1) (21) 


For m=0, the sums are empty, and ELX/N,No] = 1/n. For m=n-1, we have that 
E[x/N, Ny] mS veahG = So. In effect, this is the other extreme case, since n-1 


matches imply n matches. Thus Eq.(21) is the general formula. 
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We shall demonstrate that increasing the set of matching probabilities never 
results in a lower value of E[x/N,N,]. It will suffice to show that the 
addition of any previously unmatched probability to an arbitrary set of 
matching probabilities will not lead to a lower E[x/N,N)]. 


Let E[x/N,N, Im] denote the mean of x/N,N, for m matched probabilities equal to 
h,,...sh,, and let EL y/NNy Im+1] denote the mean of x/N,N, for m+1 matched 
probabilities equal to h’,..., h™,h™*. Assume 0 < m < n-2. Using Eq.(21) we 
find, after a little manipulation, the following simple formula: 


= 5% zh; 
E[x/N,Nylm+1] - Elx/N,N, Im] = 23 (hi, - 1a Exethiy2 (22) 


Hence, the difference is nonnegative as asserted. 
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SOFTWARE PROTECTION FOR MICROCOMPUTERS 
JOHN M CARROLL AND PIERRE G. LAURIN 


ABSTRACT: The most popular microcomputers have serious security 
weaknesses. Their password protection gives no protection at all 
against anyone skilled in the art of systems programming. The system 
described relies upon file encryption. It is implemented entirely in 
software and affords moderate security without incurring high over— 
head or memory residence costs. 


INTRODUCTION 


The migration of the microcomputer into the business office has forced a re- 
examination of the fundamental premises of computer security. (We understand 
the term microprocessor to refer to a central processing unit realized on a 
single semiconductor chip; a microcomputer consists of one or more micro- 
processors and the memory and gate circuits associated with it or them.) 


Most computer security regimes rely on the principle of forced collusion, that 
is, that it is much harder to subvert two or more people than one. Thus we 
decree that programmers must not operate; operators must not program; tape 
librarians must assume custody of magnetic media removed from the main frame; 
and at least two systems programmers must sign off on security significant 
changes to software. 


A second safeguard is multi-state operation of the computer. The computer is 
able to recognize at least two states, sometimes called supervisor state and 
problem state, but also called privileged/non-privileged, executive/applica-— 
tion, or monitor/user. Security significant actions such as input, output, 
memory management, and access to system resources are handled in supervisor 


state by control programs functioning in accordance with specified access 
rules. 


The principles of forced collusion and multi-state operation overlap in that 
multi-state operation places the control programs beyond the control of the 
user and that these control programs are implemented and maintained by trusted 
systems programmers, 
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In many business applications of microcomputers neither of these safeguards 
exists, Many popular micros do not support two-state operation, and a single 
individual may be responsible for both operating and programming. 


OBJECTIVES 


The objective of our research is to determine whether security controls can be 
imposed on an 8-bit microcomputer. The controls we developed act within the 
following scenario: 


-There are assumed to be three classes of users: 


(1) the trusted user (probably only one person, the boss, who possesses 
access rights to all information); 


(2) the semi-trusted users who have been delegated the right to read 
specified items of sensitive information; 


(3) the untrusted users who may not access any sensitive information. 


-The security system to be described is a file encryption system. The 
information to be protected resides on five-and-a-quarter inch diskettes. 
The information is encrypted and is protected by three passwords: a system 
password, a disk password, and 350 record passwords. The name of the system 
is SCRAMBLE, 


-The trusted user encrypts the protected files. The trusted user alone 
possesses the system password and in general has sole possession of the disk 
passwords, one for each encrypted diskette. 


-The trusted user must open encrypted diskettes after which semi-trusted 
users can read them. 


-Untrusted users can use the computer for program development and processing 
of non-sensitive information. The security provisions of the computer's 
operating system (disk password, access and update passwords, and provision 
for invisible files) are available to them as well as to the trusted and 
semi-trusted users. 
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CONVENTIONAL PASSWORD PROTECTION 


This work was carried out using a Tandy Radio Shack TRS-80 Model I, Level 2 
microcomputer operating under TRS-DOS 2.1 or 2.3 (Disk Operating System) with 
48,000 bytes of random-access memory and two diskette drives. 


Here is how conventional password protection works on the TRS-80: 


—Each disk has a master password. This password can override any individual 
file password except for invisible and system file passwords. The master 
password can be assigned to all user files. It then overwrites the existing 
passwords, thus removing them, 


-Each file can be assigned two separate passwords. These are the access and 
update passwords. The access password limits access as specified by a 
sublevel. The highest sublevel, kill, grants total control. The remaining 
sublevels are: rename, write, read, and execute. Any sublevel grants the 
functions of the sublevels below it. Passwords are hashed before storing on 
the disk. 


-The invisible file feature creates a subdirectory in which the user can 
hide files. The directory command will not list invisible files. 


-TRS-DOS protects its own file under a system file flag. When the permanent 
part of TRS-DOS calls a system file in response to an 0/S (Operating System) 
command, the file will not execute unless the system’s flag is set. 


-The disk directory is composed of ten sectors (two "sranules"). Each 
sector is read protected. TRS-DOS does not require read protection on 
system files. 


SECURITY WEAKNESSES OF MICROCOMPUTERS 


The principal security weakness of 8-bit microcomputers is that the computer 
cannot distinguish between operating-system instructions and user—program 
instructions. Among other things, this implies that the computer’s entire 
memory is accessible by the programmer. 


A closely related weakness is the absence of a system’s stack. Both the 
system and the user use the same stack to store the return address from 
subroutine calls, to preserve the contents of registers, or to pass arguments 
to subroutines, 
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Figure 1. Simplified block diagram of Z-80 microprocessor. 
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The stack pointer (see Figure 1) is a 16-bit register that contains the 
address of the next available location in an external (i.e., exists somewhere 
in random access memory, not in the central processing unit) push-down/pop-—up 
stack (i.e., an array of consecutive memory locations in which data can be 
stored in a first-in, first-out fashion). The stack can have any address 
(i.e., location) that is convenient. The stack can be used to store and 
retrieve the contents of the accumulator (shown in our diagram as part of the 
arithmetic logic unit), flags, program counter and any of the eight general- 
purpose registers (i.e., AF to BC’). The stack pointer controls the address— 
ing of the stack, The stack permits the processor to handle multiple-level 
interrupts and subroutine nesting. It stores the current state of the pro- 
cessor so that control can be returned after an interrupt or subroutine call. 


Sixteen-bit microprocessors like the Motorola 68000 have two stack pointers 
and two stacks. One stack pointer and stack is dedicated to use by the 
operating system and is normally not under the programmer’s control. 


In a single-stack processor like the Z-80 (i.e., the "guts" of the Radio Shack 
TRS-80) a programmer can modify the execution of a system’s command by chang- 
ing the contents of the stack, Consider, for example, the handling of an 
interrupt. The programmer can push the address of his program down the stack, 
then create an interrupt. This forces the system to jump to the subroutine 
that handles it. But since the return address has been changed, control 
passes to the user’s program. 


Each device is assigned a port and an I/O (Input/Output) controller; the 
addresses are in ROM (Read-Only Memory). Inasmuch as the programmer has 
access to the entire memory including ROM, he can bypass the O/S and read or 
write to any I/O device thus circumventing any software protection. A pro- 
grammer who learns his disk controller code can read or write any sector on 
any disk track, Thus he can get an entire file even if it is protected by a 
password on the directory. 


SPECIFIC ATTACKS ON MICROCOMPUTERS 


Special programs widely circulated in the microcomputer underground can help a 
would-be intruder. 


SUPERZAP can copy any disk sector into memory where the intruder can modify 
it. The modified sector overlays the original when recopied onto the disk. 
When a read-protect sector is modified, the write routine must include the 
read-protect feature. SUPERZAP permits modification of read-protected sectors 
without disabling the read-protect flag as well as enabling the flag on any 
sector. This feature is useful when an intruder wants to alter a directory. 
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RSM 2 can disassemble a compiled program. It can read/write to disk but it 
can neither keep nor enable the read-protect flag. With RSM-2, a program can 
be loaded from any disk sector, disassembled and then modified by changing its 
object code on the disk, 


One way to defeat a system protected by hashed passwords is to create a file 
with no password (default is eight blanks). This hashes to 9642 9642 hexa- 
decimal on the TRS-80. Using SUPERZAP, the intruder can enter the target 
directory, overwrite any individual password with 9642 9642 hexadecimal and 
the corresponding file becomes unprotected, However, if the user is clever, 
he will cover up his theft of data by replacing the hashed version of the 
original password. 


The Trojan Horse program can be a powerful tool for an intruder. It is an 
ordinary looking program that does what it is intended to do and does some- 
thing to help the intruder as well. Suppose a program exists that is intended 
to update a sensitive file. Naturally it must be able to read from or write 
to it. If an intruder can get to that program, he can modify it so that in 
addition to updating the sensitive file, it also produces a copy for the 
intruder and stores it on a file in a surreptitious repository that nobody but 
the intruder knows. 


OVERVIEW OF SCRAMBLE 


SCRAMBLE is a storage tool. The user is not allowed to execute programs under 
SCRAMBLE supervision, 


SCRAMBLE cannot be used to protect "execute-only" disks. 


It is a password system and the passwords must protected, Passwords should be 
selected so they are not easily guessed or subject to discovery by exhaustive 
trial of permutations. Passwords should be eight characters long. 


No user can change the system password. It is a permanent feature, unique to 
each copy of the SCRAMBLE system. 


SCRAMBLE can be described as a new operating system with enhanced protective 
features. It results from a modification of existing TRS-DOS I/O routines to 
permit ciphering and deciphering. It retains all file manipulation commands, 
and disables certain commands that are undesirable in a secure environment, 


We will describe SCRAMBLE on the operational, functional, and design levels-—— 
what it does, how it does it, and how it works. 
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OPERATIONAL DESCRIPTION 


TO CREATE A PROTECTED FILE: 


NOTE 

INFO/TXT is the clear text version of a sensitive file 
INFO/ CRY is the enciphered version of that file 
TRS-DOS is the normal operating system 


1. Store clear text. With TRS-DOS and blank on drive 0, write INFO/TXT on 
drive 0. 


2. Load SCRAMBLE. TRS-DOS+INFO/TXT on drive 0, and SCRAMBLE on drive 1. 

3. Encrypt INFO/TXT. With TRS-DOS+INFO/TXT on drive 0 and a blank disk on 
drive 1, run FORMAT, create the disk password; COPY INFO/CRY on drive 1 
and create a TRS-DOS file password. 

4. Kill INFO/TXT. 

(Note: The plus sign denotes concatenation). 
TO READ A PROTECTED FILE 

1. Load SCRAMBLE. TRS-DOS+blank on drive 0, and SCRAMBLE on drive 1. 

2. Decrypt INFO/CRY. With TRS-DOS+blank on drive 0, and INFO/CRY on drive 
1, run CHANGE giving the disk password; COPY INFO/TXT on drive 0 giving 
the TRS-DOS file password. 

3. Read INFO/TXT. 


4, Kill INFO/TXT. 
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ENCRYPTION 
drive 0 = TRS-DOS 2.1 or 2.3 drive 1 = SCRAMBLE 
INFO/TXT DES/SIM 
SCRAMBLE/ CMD 
Command: DES/ SIM 


System asks: 


You answer: 


System: 


Command: 


System asks: 


You answer: 


System asks: 


You answer: 


System asks: 


You answer: 


System asks: 


You answer: 


System asks: 


You answer: 
System: 
Command : 


System asks: 


You answer: 
System: 
Command: 
Command: 
Command 


SYSTEM PASSWORD? 

XXXXXXXX (You get four chances with the prompt 
then return to TRS-DOS with the 
message NOTHING DONE 

DOS READY 

Put a blank disk on drive 1 


MM/DD/YY 
DISK PASSWORD? 
YYYYYYYY 
DO YOU WANT ANY TRACKS LOCKED OUT? 
N 
FORMATTING COMPLETE (file is "invisible") 
CHANGE 
DISK PASSWORD? 
YYYYYYYY 
DOS READY 
COPY INFO/TXT:0 TO INFO/CRY:1 
KILL INFO/TXT:0 
ATTRIB INFO/CRY:1 (I, 
ACC = ZZZZZZZZ 
UPD = WWWWWWWW, PROT=1evel) 
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DECRYPTION 
drive 0 TRS-DOS drive 1 = SCRAMBLE 
Command : DES/SIM 
System asks: SYSTEM PASSWORD? 
You answer: XXXXXXXX 
Put the ciphered disk on drive 1 
Command : CHANGE 
System asks: DISK PASSWORD? 
You answer: YYYYYYYY 
System DOS READY 
Command: COPY INFO/CRY:1 TO INFO/TXT .ZZZZZZZZ:0 
-read INFO/TXI- 
Command: KILL INFO/TXT, ZZZZZZZZ: 0 


FUNCTIONAL DESCRIPTION 


Figure 2 shows that the system password is the first line of defense. It is a 
permanent feature unique to each copy of SCRAMBLE and should remain in the 
exclusive possession of the trusted user. 


Unique disk passwords are assigned by the trusted user to individual diskettes 
as they are formatted. Some disk passwords may be delegated to semi-trusted 
users. 


The access and update (with protection level) passwords and the invisible file 
feature are normal TRS-DOS protection mechanisms. They are assigned to the 
deciphered copy of the encrypted disk and are delegated to semi-trusted users. 


The ciphering algorithm is transparent to the user. It consists of adding 
(modulo two) a 256-byte random key to each record. The whole buffer is 
ciphered (or deciphered) at each I/O call. 


The same key is used for each of the 350 records on a disk but the key is 
shifted for each record by the output of a sensitive file shifting algorithm 
(a random—number generator) whose input is obtained by hashing the disk pass- 
word and the record number. 


The transposition matrix is used to prevent an intruder from knowing where to 
put information. For example, file invisibility depends on the setting of a 
single bit. If the intruder knows its location, he can reset it despite 
encryption of the file. The transposition matrix is a permanent feature 
unique to each copy of SCRAMBLE. The ciphering algorithm requires both 
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ciphering and deciphering matrices but one of these is generated from the 
other as it is needed. 


SYSTEM PASSWORD 


DISK PASSWORD 


INDIVIDUAL FILE PASSWORD 


ACCESS UPDATE INVISIBLE 


NZ 


CIPHERING ALGORITHM 


JN 


TRANSPOSITION SUBSTITUTION 


Figure 2. Protective mechanisms in order of application. 


Figure 3 and 4 comprise a flow-chart of the process. Figure 5 symbolically 
illustrates the storage layout of system components DES/SIM, SCRAMBLE, and 
modified TRS-DOS. SCRAMBLE is delivered and stored in encrypted form, It is 
encrypted in the U.S. National Bureau of Standards Data Encryption Standard. 
A software implementation of DES is stored in DES/SIM. 
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START 


SYSTEM 
PASSWORD 


SCRAMBLE 


FIRST BLOCK — 


MODIFY KEY 
MODIFY 

SCRAMBLE 
ADUK 


KEEP MODIFIED 
KEY FOR THE 
CHANGE COMMAND 


SCRAMBLE 
REMAINING BLOCKS 


Ts 


PASS CONTROL TO 
SCRAMBLE 


Figure 3. Flow chart, Part I. 


The system password is used simultaneously as key (DES KEY 1) and input to 
DES. The output of DES is fed back in and used as the key (DES KEY 2) for the 
next step. This step consists of deciphering the first block of SCRAMBLE. 
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The first block of SCRAMBLE is really the first block of DES. It contains a 
routine to modify the DES key (thus creating DES KEY 3). It also contains the 
real starting address of SCRAMBLE). The address of SCRAMBLE stored in the 
clear in DES/SIM is fictional. It is intended to mislead an intruder. 


DISK 
PASSWORD 


MODIFIED KEY FROM SYSTEM 
PASSWORD 


SCRAMBLE 
DECIPHER 
FIRST DISK 
BLOCK 


CONTROL PASSED BACK TO TRSDOS 
UNDER SCRAMBLE 


Figure 4. Flow chart, Part 2. 
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(DES CODE i J DES cove : | DES CODE \ 

i ( i | i 

JP ADDI JP ADD2 JP ADD3 
FICTIONAL ATTACKER'S REAL 
SCRAMBLE PROGRAM SCRAMBLE 
ADDRESS ADDRESS ADDRESS 


(A) (B) (C) 


Figure 5. Protection of the address of SCRAMBLE: 
(a) Fictional SCRAMBLE address, 
(b) Attacker’s program address, 
(c) Real SCRAMBLE address. 


Figure 6 shows how this deception works. A logical attack on SCRAMBLE would 
include changing the address of SCRAMBLE (as it resides in the clear text part 
of DES) to that of the intruder’s program. However, in the loading process, 
the fictional starting address is overwritten with the real starting address 
(from block one of SCRAMBLE); an intruder’s misdirecting address would be 
overwritten too, thereby avoiding an undesired transfer of control. 


The reason we modify DES KEY 2 is to foil an intruder who implants his own 
copy of DES so as to bypass control transfer protection (i.e., the system 
password). If the intruder thereby succeeds in recovering DES KEY 2 and is 
unaware of the key modification, he will be forestalled from further penetra- 
tion, 


The "test for TRS-DOS disable flags" noted in Figure 5 tests to see that TRS- 
DOS commands TRACE or DEBUG are not enabled. If they are, the procedure will 
terminate. This safeguard is included to prevent an intruder from using these 
system utilities to circumvent our protective mechanisms. 


Returning to Figure 3, we see that DES KEY 3 is inserted; DES proceeds to 
SCRAMBLE’s real starting address, and deciphers the program. 
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DES/SIM SCRAMBLE 
FIRST BLOCK 
OF 


DES/SIM 


(CLEAR) (CIPHERED) 
FIRST BLOCK 


1. MODIFIED DES KEY 2 

2. CONTAINS REAL ADDRESS 
OF REST OF SCRAMBLE 

3. CONTAINS ADDRESS OF 
DES/SIM 


DES KEY3 AND 
SHIFTING ALGORITHM 
SEED HIDDEN HERE 


TRANSPOSITION MATRIX 
I/O BUFFER AND SCRAMBLE KEY 1 
HIDDEN HERE 


(CLEAR) 
Figure 6. Storage of security software components. 


Control is now passed to SCRAMBLE. It first modifies TRS—DOS by disabling 
TRACE, DEBUG, LOAD and BASIC. It supplies three new 0/S commands; FORMAT, 
CHANGE and EDIT, overwriting TRS-DOS DATE and TIME to make room for them. 
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With DES KEY 3 inserted in DES, the disk password is now repeatedly input to 
produce a 256-byte key (SCRAMBLE KEY 1). 


FORMAT allows the user to format a blank disk which will receive encrypted 
information. When formatting a disk, SCRAMBLE will encipher BOOT/SYS and the 
directory file by adding them modulo 2 to SCRAMBLE KEY 1. 


CHANGE permits the trusted user to work on different ciphered disks without 
reloading SCRAMBLE, It asks for the disk password and creates SCRAMBLE KEY 1 
just like FORMAT does. 


EDIT is the Z-80 editor. It permits a trusted or semi-trusted user to make 
alterations on an encrypted file without having to remove it from the pro- 
tected disk. 


DESIGN DESCRIPTION 


SCRAMBLE uses SCRAMBLE KEY 1 to encrypt and decrypt text. The shifting algo- 
rithm is used to create 256 different record keys. (We can regard them as 
SCRAMBLE KEYS 3 to 257). The shifting algorithm is a pseudo-random number 
generator. It is given a unique seed for each record and produces a 256-byte 
pseudo-random number sequence which is added modulo 2 to the record. To make 
the sequences different for every ciphered disk, the disk password is hashed 
with the record numbers to create the seeds. The record number is the track 
number multiplied by ten plus the sector number. 


There are 1.37 records per key (350/256). The keys are called randomly. The 
seeds consist of 3-bytes. Byte 1 is the second byte of the hashed disk 
password. Bytes 2 and 3 are the sum of the hashed disk password and the 
record number. 


Assume the disk password is SCRAMBLE. This is hashed by an algorithm that 
reduces the eight bytes to two. SCRAMBLE hashes to A21A hexadecimal, The 
first byte of the seed is 1A. Assume we are accessing the record on track 
ten, section five. The record number is 0069. Bytes two and three are A21A+ 
0069 = A283. The seed is, therefore, 1AA283. 


Figure 4 shows that after the disk blocks have been deciphered (enciphered), 
control passes to TRS—DOS. 


Figure 6 shows that the transposition matrix and SCRAMBLE KEY 1 are hidden in 
the 0/S I/O buffers. They are continually being destroyed and rebuilt. Fur- 
thermore, if an intruder should stop the execution of SCRAMBLE, neither com- 
ponent will be rebuilt. Before any I/0, SCRAMBLE takes the key and matrix out 
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of the buffer. At the end of the routine, they are recopied into the buffer. 
Every 0/S operation must perform at least one I/O routine; so if an intruder 
disables SCRAMBLE, the loading of the O/S will destroy both the key and the 
matrix. 


DES KEY 3 is stored in eight bytes used by the O/S. The seed of the shifting 
algorithm is stored in two locations used by the O/S. Thus they are afforded 
the same protection accorded SCRAMBLE KEY 1 and the transposition matrix, 


After the text is decrypted, control is returned to (modified) TRS-DOS. The 
computer can be entrusted to the semi-trusted user who can execute any TRS-DOS 
command except the four disabled ones. When the semi-trusted user completes 
his session, he has to reset the computer thus destroying DES KEY 3, SCRAMBLE 
KEY 1, the seed for the pseudo-random number generator, and the transposition 
matrix. 


RESULTS 
SCRAMBLE requires 29 disk sectors or 7K of memory. 


The time overhead added to the system by the measures taken to protect the 
crypto parameters is 500 microseconds per I/O call. The total overhead per 
I/O call is about 8.5 milliseconds. A normal I/O routine takes on the average 
400 milliseconds including displacement of the disk read/write head. Thus the 
ciphering algorithm adds only 2.15 percent overhead to each I/O call. 


VULNERABILITIES 
There are two known vulnerabilities to SCRAMBLE. 


1, An intruder can overwrite a file with junk, The only effective 
protection against this kind of attack is physical protection of 
the disks. 


2. A Trojan Horse program can be used, In such an attack TRS-DOS 
can be modified to bypass SCRAMBLE. 


Here’s how it could work. Using RSM 2 the intruder can examine SYS1/SYS (the 
permanent part of TRS-DOS) and discover the starting address of some 
appropriate command. Next, he could replace that TRS-DOS subroutine with a 
copy of RSM-2. Then he can let the trusted user load SCRAMBLE and create the 
necessary crypto keys. Now if the intruder is one of the semi-trusted users, 
he can call the TRS-DOS command he has modified and examine SCRAMBLE until his 
heart’s content. 
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CONCLUSIONS 


Like every protective mechanism, SCRAMBLE can be defeated by an intruder who 
is dedicated, resourceful, and enjoys a fair amount of good luck. 


Within its limitations, SCRAMBLE is useful for controlling the dissemination 
of sensitive information, It enables the trusted user to decide when and to 
whom information residing on encrypted disks shall be released and does so 
without the need for expensive hardware and with extremely low overhead. 


We believe our development procedure that consisted of repeated cycles of 
measure—attack-countermeasure should be of interest to designers of software 
security systems that are not necessarily directed against the same threat 
scenario. 


Some of the newer 16-bit microprocessors provide for two-state operation but 
they have yet to be incorporated into popular microcomputers. Even when, and 
if, they are, file encryption would still be valuable as a back-up protective 
mechanism. Only a multi-state machine with built-in encryption/decryption 
chips would obviate the need for systems like this. 


[The research reported in this paper was carried out with the support 
of the Natural Sciences and Engineering Research Council of Canada 
under grant No. A7132 and the Canadian Certified General Accountants’ 
Association under grant No. 064501 whom the authors gratefully thank,.] 
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CORRECTIONS FOR PUBLISHED COPY OF 
UNITED STATES CRYPTOGRAPHIC PATENTS: 1861 - 1981 


JACK LEVINE 


[Ed. note: Cryptologia published United States Cryptographic Patents: 1861 — 
1981 in 1983. Authored by Professor Jack Levine, Professor Emeritus of Mathe- 
matics, North Carolina State University, the book has served as the definitive 
work in this area. This book is still available from Cryptologia for $10.00. 
As with all such endeavours there will be errors in manuscript preparation 
despite all good intentions. Below is a list of the corrections which have 
been found for insertion in your copy of the book.] 


Page Patent Correction 
1 48 ,681 Change "Edward" in name to "Edwin" 
1 294,175 Change "Cryptographical" in title to "Cryptographal" 
& 797,016 Change "Pimental" in name to "Pimentel" 
9 1,472,218 Change "receiver" in title to "receiving" 


14 1,945 ,014 Change "20" in date to "30" 
15 2,093 ,397 Change "4" in date to "14" 


17 SsP Caged Change middle initial "E" in name to "D" 

19 2,396 ,288 Change "V" in name to "v" to read "van" 

Z2 2,479 ,338 Change "communication" in title to "communications" 

24 2,586 ,475 Change "Vladimir" in name to "Wladimir" 

26 2,689 ,6 86 In title, change "digraphs and trigraphs" to read 
"digraphs, trigraphs" 

ye 2,177,897 In name, change "Bretener" to read "Gretener" 

29 2,816 ,156 In name, change "Fawley" to read "Pawley" 

29 2 , 832 , 826 In date, change "20" to "29" 

31 2,939,916 In title, change "translation" to read "translating" 

32 3 ,000 ,486 Omit "et al." 

33 3,033,922 In name, change "Oran" to read "Oren" 


34 3,170,033 In title, change "signals" to read "symbols" 
34 J sh lds0a3 In date, change "25" to "23" 

34 3,188,391 In name, change "Francis" to read "Francois" 
36 3,234,663 In date, change "16" to "15" 

36 3,309 ,694 Add "et al" at end of name 
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39 3,445 ,591 In name, change "Keohler" to read "Koehler" 

39 3,490 ,044 In title, change "Communication" to read "Communications" 
39: 3,499 ,992 In title, change "communication" to read "communications" 
47 3,953 ,677 In title, change "multiplex" to read "multiple" 

48 3,980, 836 In name, add "et al." 

52 4,156 ,108 In title, change "transmission" to read "transmissions" 
52 4,163 ,872 In title, change "signal" to read "signaling" 

53 4,170,757 In title, change "Method and" to read "Method of and" 

53 4,171,513 In title, change "communication" to read "communications" 
54 4,179,658 In name, change "Blitzer" to read "Bitzer" 

58 In Patent following 4,268,860, change "4,721,482" to read "4,271,482" 
63 Under "Druz", change "7,755,333" to read "2,755,333" 

66 Under "Gannett", change "2,983,326" to read "3,983 ,326" 

66 Under "Mathes", change "3,401,877" to read "2,401,877" 

68 Under "Atalla", change "2,283,599" to read "4,283 ,599" 


In addition there is one known omission: 
4,156 ,314 Leo Rosen May 29, 1979 Rotors for a ciphering machine. 


The following patent numbers are to be added to the list of Secondary Patents: 


3,699 ,496 3,700,900 3,778,128 4,070,091 4,095 ,192 4,174,149. 


Naval Intelligence 
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THE SLIDEX RT CODE 
LoUIS KRUH 


The Slidex Radiotelephone (RT) Code was one of almost two dozen codes and 
ciphers authorized by the Signal Division, Supreme Headquarters, Allied Expe- 
ditionary Force (SHAEF) for use in Operation "Overlord," the invasion of 
Normandy in 1944, by the combined US-British forces. [1] 


The Slidex unit consists of a metal frame in which a card with 12 columns and 
17 rows is placed. The card is preprinted with words, letters and numbers in 
each of its 204 boxes. Different cards are provided for different units, each 
with its own vocabulary, appropriate to the user. 


a a 
| PLATOON: 


See - 
SECTION L 


os 32 
CORR OW TONIGHT TRANSMITTERS YRANSPORT 


The Slidex Frame 
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Across the top and down the side of the frame are slots for key alphabets. 
These provide the letters for bigram coordinates to encipher the words, 
letters (for spelling other words), and numbers on the card. 


The Slidex was the only system authorized for use in radiotelephone conversa— 
tions by airborne troops. Instructions issued February 1, 1944, specified 
that the keys "must either be based on a memorisable code word or be distri- 
buted in a manner that ensures secure encoding even though a proportion of 
such keys may have been captured by the enemy during the operation." [2] 


The instruction booklet for the Slidex directed the user only to encode those 
portions of conversation which might be of value to the enemy. It specifi- 
cally said that it was not to be used to encode the entire message. (See 
complete instructions following.) This proved to be its main weakness as the 
Slidex was broken soon after the Germans first intercepted traffic during 
maneuvers in southern England in March, 1944. [1] Subsequently, U.S. signal 
intelligence authorities declared that the Slidex "was cryptographically 
insecure in that it involved a mixture of code and clear text and was there— 
fore particularly susceptible to cryptanalysis." Instructions were then 
issued to recommend a new method of indicating the key setting. The method 
was adopted on December 23, 1944, throughout the AEF but two weeks later, on 
January 6, 1945, the Signal Division recommended the Slidex be replaced within 
the U.S. forces. [3] 


It was a relatively short-lived history for an undistinguished code made even 
more vulnerable by inept instructions. 
REFERENCES 


1. Thompson, G.R. and D.R. Harris. 1966. The Signal Corps: The Outcome. 
Washington: USGPO. pp. 90-91. 


2. Supreme Headquarters, Allied Expeditionary Force. 1945. Report of Signal 
Division, SHAEF in Operation "Overlord." 4: 1175. 


3. Supreme Headquarters, Allied Expeditionary Force. 1946. Report of Signal 
Division, SHAEF in Operation "Overlord."5: 1587. 


[On the following pages we reproduce the Instructions for the Use of Slidex RT 
Code — text on pages 1-3, and 6-8, with the Imaginary Vocabulary List 
occupying pages 4-5 of the original Instructions manual.] 
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RESTRICTED 


The Information given in this document. 
is not to be communicated, elther directly 
or Indirectly to the Press or to any person 
not authorized to receive It. 


INSTRUCTIONS FOR THE USE OF 
SLIDEX RT CODE 


1. General 


(a) This code will be used exclusively to conceal those portions of 
a RT or key conversation which it is considered might be of value 
to the enemy. It will Not be used to encode the whole of a con- 
versation unnecessarily. 

(b) All officers and such other ranks as may have to carry on, 
transmit, receive or handle either type of conversation must know 
how to use the code. 


2. Equipment 


The equipment consists of a foldimg case, code cards and cursors, 
long and short. The case has a pocket in which the cards and 
cursors are kept. In use, the case is opened so that the pocket 
lies to the left. On the right is a frame consisting of two vertical 
metal strips to hold the card in use and two channels, one across 
the top and one down the left-hand side, into which the cursors 
slide. 


3. Code Cards 


(a) All code cards have 12 columns and 17 rows forming 204 
rectangles. Separate cards are provided as under :— 

Ops/Sigs, Med, RA, RE, RAC/REME, Air, Q(a) for use down 
to Corps rear links, Q(b) for use forward of Corps, Unit. 

(b) Each type of card has, 

(i) A vocabulary, printed in black, appropriate to the user, 
except the Unit card. The words, phrases, etc., are 
arranged alphabetically by rows. Unit cards are blank 
and it is the iatention that each unit shall prepare and 
insert on its Unit cards a vocabulary suitable for use 
within its own unit. 

(ii) Numbers o—9, 0o—99 and the letters of the alphabet printed 
in red in the top left-hand corners of the rectangles. The 
numbers oo—og are .arranged in numerical order by 
columns, interspersed with letters and single figures. The 
single figures are arranged so that o precedes oo, I appears 
between og and 10, 2 between 19 and 20, and so on. 
The letters are in alphabetical order, a complete alphabet 
to every four columns, thus éach letter appears three times 
on the card. In one alphabet on each card E and T 
are duplicated and so appear four times each. 
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(iii) Twelve switches, six SWITCH ON and six SWITCH OFF, 
also printed in red. 


4. Cursors 


(a) Cursors are of two kinds, 

(i) LONG, having divisions the width of a card column. They 
slide into the horizontal channel above the card and 
‘‘ horizontal keys ’’ (q.v.) are written on them. 

(ii) SHORT, having divisions the width of a row on the card. 
They slide into the vertical channel to the left of the card 
and. ‘‘ vertical keys ’’ (q.v.) are written on them. 

(6) Cursors, both LONG and SHORT, are known as BLACK, 
GREEN or RED according to the colour of their division lines. 
They are also marked at either end, on one side with a band of 
colour and on the other side with coloured square dots. 

(c) LONG cursors have 16 divisions, SHORT cursors have 21 
divisions. 


5. Keys 
The device may be used with either sliding keys or fixed keys, 
the latter being used with the UNIT card only. 

(a) When sliding keys are used, 

(i) A horizontal key and a vertical key (known as a “‘ key 
pair ’’) are required. Also, one of the rectangles on 
the card will be designated as the ‘‘ key rectangle’’ by 
which the settings of the cursors for a conversation are 
indicated. 

(ii) Each horizontal key will consist of the first 12 letters of the 
alphabet (A—L) in jumbled order, with the first four 
letters of the jumble repeated at the end so that, when 
it is written on the cursor, each division will contain a 
letter. 

(ili) Each vertical key will consist of the first 17 letters of the 
alphabet (A—Q) in jumbled order, with the first four 
letters of the jumble repeated at the end so that, when 
it is written on the cursor, each division will contain a 
letter. 

(iv) With each key pair a ‘‘ key rectangle ’’’, chosen at random, 
will be issued. It will be indicated by giving the red 
number or figure in the chosen rectangle. As each letter 
appears on the card more than once, it will be necessary 
when the rectangle chosen contains a letter to indicate 
which particular rectangle is meant by specifying, e.g., 
ist N, 2nd N, 3rd N. (i.e., the first, second or third N in 
sequence on the card). 


ce 


Example :— 
Horizontal 
Key \ecBFJALEIDKHGCBF 


Vertical . ICHBKAGJNFOQMPDLE 
Key ICH B 
Key Rectangle 2nd N. 
(bd) When fixed keys are used, i.e., with UNIT card only, 
(i) A “‘ key pair ’’ only is required consisting of the first 12 
letters of the alphabet in jumbled order for the horizontal 


key and the first 17 letters of the ~alphabet in jumbled 
ordec for the vertical key. 
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(ii) The repeated letters and key rectangle mentioned in 
para. 5 (a4) are NOT required. 


(c) It is essential that the letters of all keys be arranged hap- 
hazardly and that the sequence of letters vary from key to key. 
‘“ Key rectangles ’’ must also be chosen at random. 


6. Issue of Keys 


(a) Each divisional headquarters will prepare and issue key pairs 
and key rectangles as in para. 5 (a) for use by all holders down to 
unit level within the division. These keys will be written on BLACK 
cursors. 


(6) Army headquarters will prepare and issue key pairs and key 
rectangles as in para. 5 (a) for use 


(i) by all holders behind division down to unit level, 
(ii) between divisions, 

(ii1) between divisions.and higher formations. 

These keys will be written on RED cursors. 


(c) The Army Commander may, at his discretion, order the use 
of the ‘‘ Army ’”’ key pair and key rectangle by all holders of one 
or more types of card; e.g., holders of the RA card may be in- 
structed to use the ‘‘ Army ’”’ keys for conversations at all levels 
throughout the Army. In the interests of security this arrangement 
should be used as seldom as possible. 


(dz) Units will work with fixed keys and will prepare key pairs 
as in para. 5 (6) for use within the unit. These ‘keys will be used 
with Unit cards and will be written on GREEN cursors. 


Note.—Indelible pencil must not be used for writing on cursors. 


7. Key Changes 


Normally, key pairs and key rectangles will be changed daily 
at midnight, but whenever the volume of traffic makes it desirable on 
security grounds, keys may be changed twice daily at the. discretion 
of the Army Commander. For this purpose 


(a) Two key pairs and, preferably, a key rectangle for each, 
will be provided daily. 

(6) The keys to be used for the first part of the day will be 
written on the sides of cursors end-marked with coloured 
DOTS; those for use during the remainder of the day 
will be written on the sides end-marked with a coloured 
BAND. 

(c) The time for the change during the day will be the same 
throughout an Army and should be chosen so that 
approximately equal weights of traffic are thrown on‘each 
key pair. 


8. Lateral Communication 


Lateral communication at and behind divisional headquarters 
within the same Army will be carried out on the Army keys. All 
other demands for such communication will be met by an ad hog¢ 
passing of keys, 
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g. Unit Vocabularies 


Each unit will prepare for internal use with and between sub- 
units a vocabulary which will be written in the blank rectangles of 
unit cards in a convenient order. These vocabularies will be amended 
or changed completely, as necessary. 


10. Distributien 


The Army commander will, according to operational requirements, 
lay down what distribution is to be given to, 


(a) The keys issued at all levels. 
(6) The vocabularies produced by units for their own use. 


11. How to use the Code 


(a) Select from the cards provided the one appropriate to the con- 
versation contemplated. 


(6) Place the card in the frame. To do this insert the edge of 
the card under one of the vertical metal strips. Slightly bend the 
card and slip its other edge under the other strip. 


(c) Insert the cursors, bearing the appropriate key. Users who 
require to use one key pair only will find it convenient to keep the 
cursors permanently in the channels. 


(d) When sliding keys are used (BLACK or RED cursors) move 
the cursors, the vertical up or down, the horizontal left or right 
into any position relative to the card but ensuring that every row 
and every column of the card has a key letter opposite to it. 
The variation of co-ordinates from message to message given by 
this arrangement-adds materially to the security. When fixed 
keys are used it is only necessary to adjust the cursors so that the 
keys are in the correct positions relative to the card. 


(e) Normally, because of the net employed, the receiver will 
know which card the originator is using. Should there be any 
variation, the originator will give the card number (printed in the 
bottom right hand corner of the card) before beginning the con- 
versation. 

(f) If sliding keys are used, the originator of the conversation 
will indicate to the receiver the position in which he has set his 
own cursors by giving the co-ordinates of the ‘‘ key rectangle ’’ and 
allowing the receiver a sufficient interval to set his cursors before 
continuing. With fixed keys this is not necessary. 

(g) Each phrase, word, letter or number which has to be con- 
cealed will now be encoded by taking the letter co-ordinates of the 
rectangle in which it appears. 

(h) The first letter of a co-ordinate will be taken from the hori- 
zontal key, the second letter from the vértical key. 

(1) Users are advised for quick reference to make a note of the 
key rectangle on a convenient part of one of the cursors to which 
it pertains. 

(7) The phonetic alphabet will always be used when giving co- 
erdinates, 
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12. Spelling 


(a) Words which do not appear in the vocabulary and which, for 
security reasons, cannot be mentioned in clear will be encoded .by 
means of the red letters as follows :— 


Give the co-ordinates for one of the SWITCH ON rectangles, 
if necessary, and then give the co-ordinates for each letter of the 
word to be encoded, concluding the spelling with the co-ordinates 
for one of the SWITCH OFF rectangles if necessary. Alternatives 
are provided for all letters and switches. Full use will be made 
of these alternatives. 


(6) If a letter is repeated in a word, each of the repeats will be 
taken from a different alphabet. 


13. Figures 


(a) When figures have to be encoded the red numbers will be 
used as follows :— 


Give the co-ordinates for one of the SWITCH ON rectangles, 
if necessary before encoding the figures and, if necessary, the 
co-ordinates for one of the SWITCH OFF rectangles at the 
end of the figures. 

(6) Numbers of more than two figures will be encoded two figures 
at a time, the odd figure, if any, being encoded last. (See examples, 
para. 15.) 


14. Security 


(a) Whenever it is possible to do so without confusing the de 
coder, the use of either or both switches will be avoided. E.g., 
when spelling or figures ends a conversation SWITCH OFF will 
not be used. An encoded passage which can be nothing but spelling 
or figures to the receiver, needs neither switch. 

(6) Care should be taken to frame conversations so that the 
portions given in clear afford as little clue as possible to the nature 
of the encoded portions. 

(c) Unit vocabularies should be compiled with a view to keeping 
the necessity for switching to a minimum. 

(d) Formations and units responsible for issuing keys will provide 
emergency keys for use if and when required. 

(e) The loss or compromise of any key or list of keys will be 
reported immediately to the issuing authority who will take the 
necessary steps to restore security. 

(f) If circumstances arise in which this code is in imminent danger 
of capture, all keys will be burnt as a first priority, after which all 
vocabulary cards and the instructions will be destroyed by the same 
means. N.B.—The cursors are inflammable. 


15. Examples 

These examples are founded on the diagram on pages 4 and 5 
and the keys given in para. 5 (a). 

(a) Vocabulary. 


Cancel move—DA CB LO. 
Report location harbour—DA BM DF GJ. 
What is your centre line—DA What is your LK. 


170 


APRIL 1984 


(b) Spelling 
NORTHAMPTON—DA KM* CB AJ AQ KH IN FA DH CF 
CE DG AA CI?. 


(c) Figures. 


29 

300 
2004 
71625 
035289 


DA DQ* LP AG* 
DA EF* LI FH I0* 
DA LN* AP FM HP* 
DA BC* HL KP DB GD* 
DA JA* FO DN CD FK* 


Note.—Switch co-ordinates (marked with an asterisk in the above 
examples) will not be used unless they are necessary. All the 
possible switch groups have been used in (b) and (c). 

(2) With the omission of the co-ordinates of the key rectangle, 
4.e., DA, the above examples give the coded version which would 
be obtained from a UNIT card having the vocabulary given in the 
diagram and key pair, 

Horizontal_F J AL EIDK HGCB 

Vertical-H BK AGJNFOQMPDLEIC 


(B43/193) 96000 1/44 G.S.St. C.1338 
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The problem of computer security has crossed 
international boundaries as well as institutional 
lines. Computer fraud is no longer a company 
matter or a local matter. Computer fraud with its 
concomitant problems is international in scope, 
and progress in its detection and prevention will 
be quicker and much more effective if information 
is exchanged on an international basis. 


The problem of computer security has mush- 
roomed with the growth of computer installations. 
No longer thought of as confined to the military or 
perhaps the government, computer security is now 
the concern of every organization that uses a 
computer... business, financial, industrial, educa- 
tional. It is no longer a question of time lost by 
the unauthorized use of a computer that is para- 
mount. The data banks, upon which modern mana- 
gement now depends for vital decision-making, 
must be protected from theft, unauthorized mani- 
pulation and other illegal acts. The re-awakening 
interest in cryptography as a result of the U.S. 
National Bureau of Standards Data Encryption 
Standard, the much-publicized public key alterna- 
tive as well as hardware encryption equipment, 
are responses to repeated news items about 
computer fraud. 


COMPUTERS & SECURITY is devoted to the study 
of the financial and technical aspects of computer 
security and is written for business management, 
accountants, attorneys, bankers, insurance com- 
pany executives as well as for the computer 
specialist. The costs of this Journal is minor 
compared with the savings it will produce in 
greater security for the computer installation and 
the information therein. 
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BRITISH INTELLIGENCE - VOLUME || -- BOOK REVIEW 
RALPH ERSKINE 


British Intelligence in the Second World War: Its Influence on 
Strategy and Operations, by F.H, Hinsley, E.E. Thomas, C.F.G. Ransom 
and R.C. Knight. London: Her Majesty's Stationery Office, 1981. 
15.95 pounds sterling. New York: Cambridge University Press. 


$39.50. Volume Two. 850 pp. 


This volume starts in mid-1941, where Volume I, reviewed in Cryptologia 
(January, 1982), [1] left off. It continues the story until mid-1943, cover— 
ing all areas except the Far East, which was excluded because it was so much 
within the United States’ sphere of influence and inadequately included in 
British records. The war at sea and in the air are dealt with comprehen- 
sively. On land, the North African campaign naturally falls for the most 
attention. 


For those who were disappointed by the style or even by some of the content of 
Volume I, this volume comes as a pleasant surprise. That volume made rather 
heavy reading. Overall, Volume II ranks among the better written of the 
British series, even if it still cannot be said to be lively or anecdotal. 
Official histories, being works of record, have to set out a multitude of 
facts, which does not lend itself to a light style. 


When reviewing Volume I, William P. Bundy complained of the lack of references 
to individuals and of the fact that there was no bibliography [1]. The latter 
will, we are assured, be remedied in Volume III. The former is typical of 
most of the British official histories, many of which had the same general 
editor as this volume. And this reviewer has much sympathy with the view of 
the authors that such a work should follow Flaubert’s precept: pas de mon- 
stres, et pas de héros. Given the subject matter, how could any general 
history distinguish between the contributions made by the many individuals at 
the Government Code and Cypher School ("GCCS" or "Bletchley") to the breaking 
of Enigma? A further reason for the emphasis on organizations is that the 
work has been based mainly on written records. We can hardly complain since, 
given the size of the task, it could scarcely have been otherwise. Other 
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writers can fill in the interstices by tracking down and interviewing those of 
the participants who are still alive. 


Although the authors had virtually unrestricted access to official files, the 
constraints included a bar on publication of "details of the methods by which 
[intelligence] was obtained" [2]. There is therefore no description of the 
cryptanalysis of Enigma or Geheimschreiber (Fish) by GCCS. So we will have to 
content ourselves with accounts elsewhere [3]. 


Readers of Cryptologia will probably search first for the treatment of crypto- 
graphic topics. There is material in plenty. The index is a good guide to 
the work’s coverage. The entry for GCCS covers almost 5 columns, that for 
Enigma, 7. Some items are short, and poignant, histories in themselves 
("Italian Navy — GC and CS breaks cyphers of...; GC and CS loses cyphers 
of...;"). There are several columns on Sigint and a few inches on C38m 
(modified Hagelin). 


However, the book is about much more than cryptology. Essentially, it deals 
with the organization of intelligence and its integration into the command 
structure. No single element of intelligence, no matter how important, could 
sensibly be considered and used on its own. Enigma-based intelligence 
("Ultra" in British terms) was supplemented by lower-grade intelligence col- 
lected by the Y Services (nets of listening posts established by the Army and 
Air Force [4]), electronic intelligence [5], traffic analysis and other 
measures: all played their part. And then the results had to be analyzed, 
distributed and used. Perhaps that is why there is, and had to be, so much 
discussion of committees and structure in these volumes. It was in the effi- 
cient organization and use made of all intelligence that the Allies excelled. 


The introductory four chapters (which start with chapter 15) consider develop- 
ments in the organization of intelligence. Chapter 16 describes arrangements 
with the United States and relations with the Soviet Union. While there were 
some initial differences with the United States Navy Department, by June 1943 
there was very full collaboration. A visit to the United States by GCCS in 
October 1942 ensured that the Navy Department would receive Enigma decrypts 
and technical assistance from the British. The Navy Department agreed to 
supply GCCS with Japanese Naval decrypts and other intelligence and allowed 
GCCS to coordinate work done by American bombes. It also agreed to construct 
only 100 of its own three-wheel bombes, as they had merely half the capacity 
of the British model. But later on, British four-wheel bombes (needed to 
break the four-wheel version of Enigma used by the U-boats) had a low service- 
ability rate and were wholly supplanted, by end-1943, by American bombes. 
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The concordat with the Navy Department had its price. It led to friction with 
the War Department [6], which had not been consulted, so that it was not until 
May 1943, after various missions and high level interventions, that there was 
a similar, but even more far-reaching, agreement on the Army side. This left 
all German and Italian military ciphers to GCCS and the Japanese ciphers to 
the War Department. 


As one would expect, there was little progress towards exchanging intelligence 
with the USSR. Information on how to solve German police ciphers and Abwehr 
hand ciphers was given to the Russians. Since Ultra revealed that various 
Soviet ciphers were being read by the Germans, the British intelligence 
authorities were reluctant to release Ultra to the Soviets even when the 
source was not disclosed. When they did so, they were yielding to pressure 
from the prime minister. The history states categorically that there is no 
truth in the suggestion that the Lucy ring [7] was used by the British to pass 
intelligence to the USSR. A lot of operational intelligence was sent through 
the British military mission in Moscow. The Soviets were very reluctant to 
give anything in exchange, even information about captured German equipment. 


One feels that the authors are most at home when writing about naval affairs, 
including the U-boat war. Indeed two of them (Hinsley and Thomas) worked on 
naval intelligence at Bletchley. They survey fully the events surrounding the 
introduction, in February 1942, of the additional wheel into the U-boats’ 
Enigma machines, Even though the development had been foreshadowed in Enigma 
decrypts as early as the spring of 1941, it was not until December 1942 that 
GCCS managed to break the four-wheel version (codenamed Shark by the Allies). 
This notwithstanding that, due to the classic error of an operator using four- 
wheels prematurely and then repeating the message on three, the wiring of the 
fourth wheel was recovered in December 1941. Appendix 19 discusses the break-— 
ing of Shark and the reasons for the delay, which was to contribute to heavy 
Allied shipping losses. Those losses were made worse due to the fact that in 
February 1942 the Beobachtung-Dienst ("B-Dienst", the German Navy's radio 
intelligence section) finished its solution of Britain’s Naval Cypher No. 3, 
so that they could read most Allied signals about the North Atlantic convoys. 


Solving Shark was obviously of considerable importance. The authors do not, 
however, describe it as the decisive factor in defeating the second U-boat 
campaign which began against the convoys in December 1942. They do not there- 
fore wholly agree with the German naval historian Jurgen Rohwer, in his 
assessment that the turning point would otherwise have come "months, maybe 
many months" after May 1943 [8]. The book also brings out the use of Ultra, 
in the war at sea, in other ways as well as against U-boats. An auxiliary 
raider (Komet, or Raider B) was attacked and sunk because its movements were 
known, largely due to Ultra. Blockade runners were intercepted. Minelaying 
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operations by Bomber Command were stepped up considerably because Ultra showed 
them to be especially useful against German coastal shipping. Many other 
examples are given. 


The air war presented a very different picture from the war at sea. U-boat 
operations, being based on the pack, were controlled by the German submarine 
commander in chief, Admiral Karl Donitz, through two-way wireless communica-— 
tions. The German Air Force in the West largely used land lines and 
transmitted little of consequence in Enigma. So there were few nuggets of 
strategic importance to be gleaned from Luftwaffe Enigma. Sigint and, in 
particular, the RAF Y service therefore provided much useful intelligence 
about Luftwaffe operations, including night defenses. 


There is full coverage of the war in the Mediterranean and North Africa. The 
book demonstrates just how important Ultra was in contributing to the defeat 
of the Axis in North Africa. Important, but the battle of Gazala in May and 
June, 1942, showed that Army Y intelligence could be more helpful than Ultra 
during a battle (not least because, being provided locally, it was generally 
available more quickly) and that it was vital to integrate "Y" fully into the 
headquarters’ structure. 


The appendices, totalling about 140 pages, contain some of the most interest-— 
ing material in Volume II for the general reader, mainly because they are more 
analytic in tone. Appendix 1 considers British cipher security during the war 
and gives the reasons for the Admiralty’s reluctance to adopt the Typex 
machine [9], hitherto inexplicable to this reader. Instead it depended on 
codes (confusingly, a 4-figure code used by officers was called a cypher), 
which were recoded by a subtractor system. GCCS did not dissent from this 
decision because it believed that messages would be secure if the recycling 
tables were replaced at frequent intervals. The volume of traffic prevented 
that. The real culprit was divided responsibility for the Navy’s cipher 
arrangements, which was split between three different sections. 


Appendix 1 also gives an account of the results of German cryptanalytic work 
on British codes and ciphers. The well-known B-Dienst success against naval 
codes was considerable. This was especially so for Naval Cypher No. 3, which 
was used from 1941 to at least the end of 1943 by the United States, British 
and Canadian navies in the Atlantic. Although there were signs from other 
decrypts in the second half of 1942 that it had been cracked, it was not until 
Shark was broken that GCCS realized the full extent of the penetration. There 
is a short summary of work done against Allied merchant marine and merchant 
ship codes. 
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A separate part of Appendix 1 considers the security of Ultra [10]. The reader 
is left with the impression, from that appendix and the book as a whole, that 
there may have been too many risks taken, even though Ultra itself showed that 
the Germans were having doubts about their own cipher security, albeit that 
the messages did not show their concern, on occasion, about Enigma. More is 
to appear on this subject in Volume III. How was the arrival of British 
submarines at Cape Verde during a U-boat rendezvous in September 1941 to have 
been explained by the Germans? Or the sighting by Allied destroyers of a 
refuelling between submarines on January 13, 1943? The cover stories must 
have been very thin, Interestingly, the fourth wheel added to the U-boats’ 
Enigma was a step taken against only "internal insecurity" (the risk of Enigma 
being read by persons on other Enigma nets [11]). 


Appendix 3 is the only place where the names of individual cryptanalysts 
feature. It sets out in full a letter from Alan Turing, Gordon Welchman, Hugh 
Alexander and Stuart Milner-Barry [12], all of whom worked in Huts 6 and 8, 
Following a visit from Winston Churchill to Bletchley, they appealed to him 
over the heads of officialdom for about 60 to 100 extra staff. Churchill 
treasured Ultra, which he knew as Boniface. On the same day that he received 
the letter, he wrote an "Action this Day" minute asking for Bletchley to "have 
all they want on extreme priority." Their needs were very soon met. 


Appendix 4 is the fullest list yet published of various Enigma keys [13]. The 
naming system adopted by GCCS is given (insects for Fliegerkorps keys, birds 
for the Army's, fish for the Navy’s and so on), By the war's end, about 220 
keys had been attacked, of which only 20 or so were naval. The German Army 
home administration key, used throughout the war, was broken only 13 times and 
some of those breaks required prisoner-of-war help. A key used by the 
Gestapo, also for the entire war, was never solved. Although this is 
described as a classic mystery of Hut 6, both keys illustrate just how secure 
Enigma could be when used sensibly. Welchman states that it would then have 
been impregnable [14]. The examples of these keys, taken with the length of 
time required to crack Shark, may serve as indirect testimonials to the 
pioneering achievement of the Poles, working as they did with exiguous 
resources of men, money and machines. 


Another appendix covers German police and hand ciphers. A considerable effort 
was mounted against them, because they provided an entry into Enigma, and much 
the same system was used by the German Army and Air Force. It also confirms, 
as first revealed by Peter Calvocoressi [15], that GCCS knew, from spring, 
1942, until February, 1943, the precise numbers of deaths in 10 German concen- 
tration camps, including Auschwitz and Dachau. 
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No mistake should be made about the importance of this volume. Quite simply, 
it is the key to a full understanding of the history of the period, Virtually 
every other book published so far on the history of World War II in the areas 
covered by it has to be interpreted in its light. There are no startling 
revelations, because the general story, including that of Enigma, is now well 
known. Since most, but not all, of the papers seen by the authors are now in 
the Public Record Office, there will be other books which may on occasion take 
a different view to that of the authors or expand the treatment of specific 
topics. None is ever likely to replace it. 


This work will remain a classic and be consulted for very many years to come. 
For the historian, it is essential reading. The average reader is more likely 
to want to dip into it from time to time; he will almost certainly profit from 
doing so. For each, Welchman’s book complements this volume on the technical 
aspects of work on Enigma at Bletchley, as well as filling in some of the 
human background. 


The book is excellently produced and reasonably priced for a specialist work. 
The proofreading and the index are superb. One looks forward to the next 
volume (which is to appear in two parts) with a sense of real anticipation, 
which could not be said after reading Volume I. 


No assessment is made in this volume of the ultimate effect of the Allies’ 
ability to read Enigma. Hinsley takes the view that is shortened the war by 
about three years [16]. Whatever the period, many thousands of lives must 
have been saved as a result. Ultra could have no better epitaph. 
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FROM THE ARCHIVES 


SUBJECT: CODES AND CIPHERS FOR COMBINED 
AlR-AMPHIBIAN OPERATIONS 


[Ed. Note. During the course of their research, our editors and 
readers are sometimes responsible for the declassification of pre- 
viously undisclosed material. Or they may discover items in private 
or public collections, libraries, and archives, items which are not 
widely known. The purpose of this column is to give these documents 
wider circulation for the benefit of the cryptologic community. If 
you have or know about material suitable for this column, please send 
it to David Kahn, 120 Wooleys Lane, Great Neck, NY 11566. All 
contributions used will credit the donor.] 


[Louis Kruh brings this item to our attention concerning the efforts to 
coordinate the cipher material for the Allied invasion of France.] 


WAR DEPARTMENT The Adjutant General's Office, Washington 

AG 311.5 (3-24—43)0B-S—-SPSIS-M BJS/reh-2B-939 Pentagon 
March 28, 1943 

SUBJECT: Codes and Ciphers for Combined Air—Amphibian Operations. 


TO: The Commanding Generals, 

Army Ground Forces; 

Army Air Forces; 

Army Service Forces. 
Commander—in-Chief, Southwest Pacific Area. 
The Commanding Generals, 

Theaters of Operations; 

Defense Commands; 

Departments; 

Service Commands; 

Base Commands; 

Military District of Washington. 
The Commanding Officers, 

Base Commands. 
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1. The combined Communications Board, on February 17, 1943, approved the 
inclosed tabulation of cryptographic systems suitable for use in various 
stages of combined air-amphibian operations. 


2. In the case of each combined air-amphibian operation, it should be 
the duty of the senior officer appointed for that operation to select the 
cryptographic systems to be used. 


3. The systems set forth in column three of the tabulation should be 
used if available; if not available, the selection by the senior officer 
appointed for the operation of any systems in columns one and two is approved. 


4. A statement of these cryptographic systems should be included in the 
Combined Communication Plan for each operation which, after approval by the 
Commanders, will form the basis for the detailed communication orders of all 
services concerned. 


5. It is desired that necessary steps be taken to disseminate this 
information in your Command. 


By order of the Secretary of War: J.A. ULIO, 
Major General, The Adjutant General. 


ENCLOSURE A 
List of Cryptographic Systems 


suitable for 


Combined Air-Amphibian Operations 


BRITISH UNITED STATES COMBINED 
1. During Voyage 1. During Voyage 1. During Voyage 
Nomal naval ci- Normal naval ci- Normal cambined 
phers* and codes are phers (ECM* and/or ciphers (Combined 
used for purely Naval Strip), are used for Cipher Machine C.C.B.P. 
traffic and for any es- purely Naval traffic. -and Naval Cipher No. 
sential Army and R.A.F. Joint ECM* and/or 3) are used for purely 
traffic which has to be Strips for Joint traffic Naval traffic and for 
passed to the force which has to be passed any essential Army 
while at sea. Distribut— to the force while at sea. and Air Force traffic 
tion:— Distribution:— which has to be passed 


to the force while at 
sea. Distribution:-— 
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BRITISH 
Normal 


*Where the CCM is not 
available, and machines 
of either service are 
required to be employed 
for combined use, liai- 
son groups must accom 
pany this equipment. 

In some instances where 
the British Type X 
machine is selected to 
be used, the Senior 
British Signal Officer 
may authorize its em- 
ployment by U.S. Forces 
without a liaison group. 


2. During Final Approach 
and Assault. 


(a) Naval code with 
a special edition of a 
subtractor table is set 
aside as main "high- 
grade" means of communi-— 
cation at this stage. 
Distribution:— 


Conmander—in-Chief , 
Flag officers, and 
Major War Vessels. 


2 (b) For more 
rapid communication 
requiring reasonable 
security for a limited 
period a 3 letter hatted 
code is used, unenci-— 
phered, known as Combined 
Operations Code Part I. 
Distribution:— 
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UNITED STATES COMBINED 
Normal Normal 


*Where the CCM is not 
available, and machines 

of either service are 
required to be employed 
for cambined use, liaison 
groups must accompany this 
equipment. In same in- 
stances where the British 
Type X machine is selec— 
ted to be used, the Sen- 
ior British Signal Officer 
may authorize its employment 


by U.S. Forces without a 
liaison group, 


During Final Approach 
and Assault. 


(a) Hazardous duty 
strip ciphers, Navy only, 
plus Joint Army-Navy 
Strip Ciphers. 
Distribution:-— 


Commander—in-Chief , 
Flag officers, and 
Major War Vessels. 


(b) For more rapid 
communication requiring 
reasonable security for 
a limited period the 
Joint Operations Code 
either unenciphered or 
enciphered by 4 random 
mixed alphabets changed 
at least daily. The 
Hagelin Machine. 
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2. During Final Approach 


and Assault. 


(a) Normal com- 
bined cipher as in 
1 above except special 
hazardous duty keys 
will be employed. 
Distribution:-— 


Commander—in-Chief , 
Flag officers, and 
Major War Vessels. 


(b) For more 
rapid communication 
requiring reasonable 
security for a limi-— 
ted period, either 
Combined Operations 
Code Part I unenci-— 
phered or Joint 
Operations Code, (en— 
ciphered by means of 
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All ships, 

Main and sub-beach 
signal stations, 
Headquarters down to 
battalions, 

R.A.F. formation 
Headquarters and 
Stations. (point- 
to-point). 


(c) It is the inten 
tion to use plain language 
considerably in the assault 
in the interests of speed 
temporary cover being ob- 
tained by the use of code 
words for important places, 
names, and references. 
These code words are im 
cluded in operational order. 


(d) For reconnais— 
sance and air support 
during the assault stage 
a nom-confidential code 
is used unenciphered for 
brevity and standardiza— 
tion, and is known as 
Combined Operations Code 
Part II. Distribution:-— 


UNITED STATES 
Distribution:-— 


Down to minor war ves— 
vels, 

All Marine activities 
down to battallions, 
Army Headquarters 

down to battalions, 
Down to Army Air Force 


Squadrons. 


(c) It is the inten 
tion to use plain language 
considerably in the assault 
in the interests of speed, 
temporary cover being ob- 
tained by the use of code 
words for important places, 
names and references. 

These code words are in 
cluded in operation orders. 


(d) For reconnais— 
sance and air support 
during the assault stage 
the Joint Operations 
Code unenciphered and/or 
the Hagelin Machine is 
used. Distribution:— 
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COMBINED 
4 random mixed al- 
phabets changed at 
least daily), is suit- 
able. Distribution:-— 


Down to minor war 
vessels, 

Main and sub-beach 
signal stations, 
Marine Headquarters 
down to battalions, 
Army Headquarters 
down to battalions, 
Down to Air Force 
Squadrons. 


(c) It is the in- 
tention to use plain 
language considerably 
in the assault in the 
interests of speed, 
temporary covering 
being obtained by the 
use of code words for 
important places, 
names, and references. 
These code words are 
included in opera— 
tional order. 


(d) For recon- 
naissance and air 
support during the 
assault stage either 
Combined Operations 
Code, Part II or 
Joint Operations 
Code unenciphered. 
Distribution:-— 
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BRITISH UNITED STATES COMBINED 
2. All ships, 2. Down to minor war ie Down to minor war 

Main and sub-beach vessels, vessels, 

signal stations, Army down to batta— Down to main and 

Headquarters down to lions headquarters, sub-beach signal 

Company F.0.0.'s, Naval gunfire liaison stations, 
parties, Down to battalion 

R.A.F. Fomnation Head— headquarters, 

quarters and Stations Army Air Force down Naval gunfire 1i- 
to Squadrons, aison parties, 

Aircraft. Down to Company 
Aircraft. F.0.0.'s, 


R.A.F, Formation 
Headquarters and 


Stations, 
A.A.F. down to 
Squadrons, 
Aircraft. 
3. After Establishment of 3. After Establishment of 3. After Establishment 
Army Ashore. Army Ashore. of Army Ashore. 

Nomal Joint inter— Nomal Joint inter— Nommal Combined 
service communications, service communications. interservice camn- 

munications. 

(a) Type X with (a) Joint ECM. Stand (a) Combined 
interservice settings. by: Joint Strips. Cipher Machine (C.C. 
Standby: Interservice Distribution:— B.P.-). Standby: Com- 
Cipher (4 figure book bined Strip Cipher 
with subtractor tables). System (C.C.B.P.-). 
Distribution:— Distribution. 

Navy shore authorities Flag officers and above Flag officers and 

only, (afloat and ashore), above (afloat and 

Army down to Divisions, ashore), 

Army down to Divisions, Army Air Force down to Army down to 

R.A.F. down to estab-— Commands. Divisions, 

lished R.A.F, Stations. R.A.F, down to es- 
tablished R.A.F. 
Stations, 
Army Air Force down 
to Commands. 
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(b) Interservice Code 
(3 figure book with sub— 
tractor tables). Distri- 
bution:— 


Navy down to Des— 
troyers, Corvettes 
and any other craft 
which may require to 
communicate with Army or 
R.A.F., 

Army down to Brigades, 
R.A.F. down to R.A.F. 
Stations and detached 
squadrons (for point- 
to-point use.) 


(c) Air-to-Ground and 
Air—to-Sea: 


Syko or REKOH for in 
terservice use, which is 
expected to be small, 
Normal R.A.F. codes for 
communication with R.A.F. 
ground stations, e.g. 
Bamber Code Book. 
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UNTIED STATES COMBINED 


(b) Joint Operations (b) Either In- 
Code (enciphered by 4 ram- terservice Code with 
dom mixed alphabets changed subtractor tables, or 
at least daily.) Joint Joint Operations Code 
Hagelin Machine. Distribu- (enciphered by means 


tion:— of 4 random mixed al- 
phabets changed daily). 
Distribution:— 
Down to minor war : Down to minor war 
vessels, vessels, 
Army down to Battalion, Army down to Bat- 
talion (US) or 
Army Air Force down to Brigade (Br) 
Squadrons (for point— 
to-point use.) Air Force down to 
Squadrons (for 
point-to-point use.) 
(c) Air-to-Ground and (c) Air-to- 
Air—to-Sea: Ground and Air-to— 


Sea: Any of the fol- 
lowing may be used: 


Hagelin Machine, Bamber Code Book, 
Joint Operations 
Code (unenciphered), 
Air-Ground Liaison 
Code, or REKOH for 
interservice use. 
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AN UNKNOWN CIPHER DISK 
DAVID SHULMAN 


The multiple cipher disk illustrated by photographs taken by Louis Kruh is of 
unknown origin, I purchased it at an antique show about 15 years ago and all 
I remember the dealer telling me is that he had bought the item with a collec- 
tion of other instruments in Stockholm from another dealer, Shortly there- 
after, I showed it to William F. Friedman in Washington but he did not recall 
seeing anything of this kind before, nor could he provide any information 


about it. Perhaps a reader can identify the device and tell us more about who 
used it and how it was used, 


Figure 1. 
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Figure 2. 


There are three hinged cases in which the disk and alphabet letters and 
numbers fit perfectly into the plush lining. Judging by these cases — I 
have seen similar ones for holding medals — the device is from the nineteenth 


century. 


Three concentric circles comprise the basic disk which is made of brass. A 
cursor or metal reading guide is attached to the outer rim. The two outer 
circles or disks have the numbers 1 - 30 engraved on their base. The inner 
circle is blank with a raised metal pimple (Figure 1). 


There are six metal circular rings (Figure 2), four with letters and two with 
numbers, each with a hole to fit over the metal pimple, to place in position 
on the inner disk. Figure 3 shows an alphabet ring in place. 


Two cases hold individual letters and numbers made of ivory to place in any 
sequence in the middle and outer circles. Each of the disks has room for 30 


letters or numbers. Figure 4 shows some of them in place. 


A knurled brass knob screws into the center of the device and is used to 
rotate the inner two disks against the outer one. 
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Figure 4. 
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Louis Kruh asked me to check on what foreign alphabet is represented. My 
first thought was that it would be Scandinavian, but I found that Swedish, 
Norwegian, and Danish did not fit, as those languages do not have an alphabet 
with an E with an acute accent; they also include an O with a slash through 
it, which this alphabet does not have. Nor could I find any other alphabet of 
foreign languages to match the disk alphabet. It is possible that these 
particular letters were provided for someone who might be able to use them in 
an agreed upon manner between correspondents to represent an alphabet of 
their own choice, Swedish, Norwegian, and so on. 


Figure 5. Cipher disk with spare rings and alphabets. 


As to the method of encipherment, it could be a keyword polyalphabetic or 
numerical substitution of any type that can be used with disk encipherments. 
I believe that the three boxes are complete and were intended for two special 
correspondents and that they were made to order secretly for high-ranking 
officials. There is no inscription or mark of manufacture on any of the parts 
or boxes and no other set is known to exist. I find that the use of ivory in 
any kind of instrumentation is unusual, same as with precious metals such as 
gold. It would be, therefore, a good conjecture that what I have was intended 
for nobility in the Scandinavian countries. It is an elegant cipher disk 
mystery waiting for someone to shed more light on it, if it is possible. 
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